Whoever runs the comcast network really knows his stuff.
They are one of the first large ISPs to actually start real work on deploying IPv6.
And I remember calling during an outage and speaking to someone on the front lines (not second tier) who was actually very technically knowledgeable.
Whatever you may think of their business department (silly things like internet + cable costs less than internet by itself), the network side is really good.
I use Comcast (I'm in Boston) and I once called their phone support to see if I could get the "Domain Helper" disabled, and the tech had no idea what I was talking about. Switching to Google's DNS servers helped.
DNSSEC prevents spoofing (as does HTTPS), but that's about all it does that's relevant to SOPA. This may prevent a particular mechanism of SOPA enforcement, but that's easy enough for the government to work around, in theory.
Exactly. If an ISP simply returns an error for lookups of a blacklisted domain, DNSSEC shouldn't complain; it will just think there's a DNS outage.
Since no one has read it, here's the relevant text: "A service provider shall take technically feasible and reasonable measures designed to prevent access by its subscribers located within the United States to the foreign infringing site (or portion thereof) that is subject to the order, including measures designed to prevent the domain name of the foreign infringing site (or portion thereof) from resolving to that domain name's Internet Protocol address." (I wonder if I am now cursed.)
Even if DNSSEC and SOPA were mutually exclusive in all aspects (which they are not), being pro-SOPA does not mean Comcast cannot also prepare for the case where SOPA fails to pass.
I find this more interesting not from a SOPA standpoint but because comcast has in the past given me false responses instead of NXDOMAIN. Anyone happen to know if this could prevent such a thing, or at least provide a mechanism of testing for it other than blacklisting an IP?
They would have to give some kind of error code that indicates that the DNS server isn't working. Any false assertion about DNS results, including false NXDOMAIN responses, will break DNSSEC (your computer would notice that the response has been forged).
It's actually not incompatible with SOPA. The bill demands that ISPs block DNS routing for certain domains. Returning no response to a DNS request would not break DNSSEC. It would just look like that site did not exist.
Some people have proposed that instead of blocking DNS, ISPs should redirect a DNS request. That would be incompatible with DNSSEC--but that requirement is not in the bill.
[+] [-] modeless|14 years ago|reply
[+] [-] ars|14 years ago|reply
They are one of the first large ISPs to actually start real work on deploying IPv6.
And I remember calling during an outage and speaking to someone on the front lines (not second tier) who was actually very technically knowledgeable.
Whatever you may think of their business department (silly things like internet + cable costs less than internet by itself), the network side is really good.
[+] [-] whichdan|14 years ago|reply
[+] [-] pjscott|14 years ago|reply
[+] [-] wmf|14 years ago|reply
Since no one has read it, here's the relevant text: "A service provider shall take technically feasible and reasonable measures designed to prevent access by its subscribers located within the United States to the foreign infringing site (or portion thereof) that is subject to the order, including measures designed to prevent the domain name of the foreign infringing site (or portion thereof) from resolving to that domain name's Internet Protocol address." (I wonder if I am now cursed.)
[+] [-] DarkShikari|14 years ago|reply
[+] [-] msredmond|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] simcop2387|14 years ago|reply
[+] [-] sp332|14 years ago|reply
[+] [-] privacyguru|14 years ago|reply
http://www.securityweek.com/dnssecs-time-here-sopa-presents-...
[+] [-] snowwrestler|14 years ago|reply
Some people have proposed that instead of blocking DNS, ISPs should redirect a DNS request. That would be incompatible with DNSSEC--but that requirement is not in the bill.
[+] [-] msredmond|14 years ago|reply
[deleted]