[dns-operations] Saga of HBONow DNSSEC Failure

Edward Lewis edward.lewis at icann.org
Tue Mar 10 16:11:21 UTC 2015

On 3/9/15, 23:50, "Livingood, Jason" <Jason_Livingood at cable.comcast.com>

>So earlier today HBO announced a new HBONow streaming service (at an
>Apple event). The FQDN to order, which should have been DNSSEC-enabled,
>was order.hbonow.com. This unfortunately suffered from a rather
>inconveniently timed DNSSEC problem
> :-( Of course, these being hot Net Neutrality days in the U.S., we at
>Comcast were quickly blamed for blocking access to ordering this new
>service (despite failures at Google and other validators).

When this first surface after the "infamous NASA.GOV" incident, I sent a
private apology because I (as well as others) knew this day would come -
when an ISP would get the brunt of someone's DNSSEC misfire.  (Others
include many who worked on the original design and deployment workshops.)

This time I'll offer a public apology.  Sorry, Comcast.

The only way I can make this up to you is to better my efforts at making
DNSSEC an easier to run, less clumsy protocol.  The protocol is what it is
- when something doesn't check out, it goes dark.  The mitigation is
better tools to explain this and to manage this.  The negative trust
anchor draft addresses the latter.

Oh, and, Jason, a squirrel has managed to chew through my mom's cable, can
you fix that for me?  Perhaps Comcast could install little squirrel
feeders in the neighborhood.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150310/98b311fe/attachment.bin>

More information about the dns-operations mailing list