 owlynPremium,MVM
join:2004-06-05
Newtown, PA
 ·Comcast
| [DNS] DNSSEC I posted this question earlier today, but for some reason, it is nowhere to be found, so I will ask again.
I am using the .75 and .76 DNS servers. I use Firefox, and added in the DNSSEC Validator plug-in. On almost all sites, the plug-in shows that the site is not secured by DNSSEC. Sites include this one, and even comcast.net. A very few sites do show as being secured, so I would think that the plug-in is working.
Can anyone explain what is going on? I would have thought that most sites (especially comcast.net) would show as being secured by DNSSEC. |
|
 ctg1701aVIP
join:2008-08-07
Philadelphia, PA | said by owlyn:I posted this question earlier today, but for some reason, it is nowhere to be found, so I will ask again.
I am using the .75 and .76 DNS servers. I use Firefox, and added in the DNSSEC Validator plug-in. On almost all sites, the plug-in shows that the site is not secured by DNSSEC. Sites include this one, and even comcast.net. A very few sites do show as being secured, so I would think that the plug-in is working.
Can anyone explain what is going on? I would have thought that most sites (especially comcast.net) would show as being secured by DNSSEC.
Hello,
While all Comcast domains are signed, and our caching servers are performing validation, there are some sites that we operate that use global load balancing and content delivery networks like comcast.net. These distributed services currently do not support DNSSEC signing, but we are working to get that support into these systems. You can use some online tools to look at the DNSSEC signing status of sites:
»dnsviz.net/
»dnssec-debugger.verisignlabs.com
Each of these sites will show you have the chain of trust works for a website.
Please let me know if you have any other questions, and thanks for using Comcast DNS.
Thanks
Chris
Comcast |
|
 tshirtPremium,MVM
join:2004-07-11
Snohomish, WA
kudos:3 | reply to owlyn
be sure and clear any local cache(s), as they could be directing you back to the insecure version of some sites. |
|
owlynPremium,MVM
join:2004-06-05
Newtown, PA Reviews:
·Comcast
| said by tshirt: be sure and clear any local cache(s), as they could be directing you back to the insecure version of some sites.
I did- at least I think I did. Closed FF and ran ipconfig /flushdns
Anything else? |
|
owlynPremium,MVM
join:2004-06-05
Newtown, PA Reviews:
·Comcast
| reply to ctg1701a
said by ctg1701a:said by owlyn:I posted this question earlier today, but for some reason, it is nowhere to be found, so I will ask again.
I am using the .75 and .76 DNS servers. I use Firefox, and added in the DNSSEC Validator plug-in. On almost all sites, the plug-in shows that the site is not secured by DNSSEC. Sites include this one, and even comcast.net. A very few sites do show as being secured, so I would think that the plug-in is working.
Can anyone explain what is going on? I would have thought that most sites (especially comcast.net) would show as being secured by DNSSEC.
Hello, While all Comcast domains are signed, and our caching servers are performing validation, there are some sites that we operate that use global load balancing and content delivery networks like comcast.net. These distributed services currently do not support DNSSEC signing, but we are working to get that support into these systems. You can use some online tools to look at the DNSSEC signing status of sites: » dnsviz.net/» dnssec-debugger.verisignlabs.comEach of these sites will show you have the chain of trust works for a website. Please let me know if you have any other questions, and thanks for using Comcast DNS. Thanks Chris Comcast Thanks. This helps, but it sure seems as if almost no sites have properly registered. The only ones I've found that work are the testing sites. |
|
bpratt
join:2006-10-24
Redwood City, CA | If you are looking for end node sites that have DNSSEC signed entries, they are still few and far between. That will change, but right now DNSSEC is mostly deployed higher up the DNS chain. |
|
owlynPremium,MVM
join:2004-06-05
Newtown, PA | Thanks to both of you. These replies answer my concerns. |
|
