[dns-operations] Saga of HBONow DNSSEC Failure

Richard Lamb richard.lamb at icann.org
Tue Mar 10 15:38:38 UTC 2015


Jason-  Thank you for sharing the details.  Another excellent real world
example.  Too bad it caused you consternation.  -Rick

 

 

From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf
Of Livingood, Jason
Sent: Monday, March 09, 2015 8:50 PM
To: dns-operations
Subject: [dns-operations] Saga of HBONow DNSSEC Failure

 

So earlier today HBO announced a new HBONow streaming service (at an Apple
event). The FQDN to order, which should have been DNSSEC-enabled, was
order.hbonow.com. This unfortunately suffered from a rather inconveniently
timed DNSSEC problem (http://dnsviz.net/d/order.hbonow.com/VP5DKQ/dnssec/).
:-( Of course, these being hot Net Neutrality days in the U.S., we at
Comcast were quickly blamed for blocking access to ordering this new service
(despite failures at Google and other validators). 

 

Had this persisted much longer, we might have considered a negative trust
anchor of course, assuming we had direct contact with HBO on the matter
(established after they fixed the issue & we flushed the cache). A good
example of the sentiment was the tweet "Wow. I have Comcast and can't reach
http://hbonow.com  unless I use a different network. #NetNeutrality ".
People tweeted to the FCC to alert them as well.

 

But two other I-Ds I wrote up did come in handy in some of my replies on
social media: 

http://tools.ietf.org/html/draft-livingood-dnsop-auth-dnssec-mistakes-00

and 

http://tools.ietf.org/html/draft-livingood-dnsop-dont-switch-resolvers-00

 

Which leads me simply to say that if there's any interest in progressing
these I-Ds in any way, let me know. Of course you may not find them useful
until people yell at you for other people's DNS errors. ;-) 

 

- Jason

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150310/3c115a97/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5456 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150310/3c115a97/attachment.bin>


More information about the dns-operations mailing list