dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
539
share rss forum feed


owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
Reviews:
·Comcast

[DNS] DNSSEC

I posted this question earlier today, but for some reason, it is nowhere to be found, so I will ask again.

I am using the .75 and .76 DNS servers. I use Firefox, and added in the DNSSEC Validator plug-in. On almost all sites, the plug-in shows that the site is not secured by DNSSEC. Sites include this one, and even comcast.net. A very few sites do show as being secured, so I would think that the plug-in is working.

Can anyone explain what is going on? I would have thought that most sites (especially comcast.net) would show as being secured by DNSSEC.



ctg1701a
VIP
join:2008-08-07
Media, PA

said by owlyn:

I posted this question earlier today, but for some reason, it is nowhere to be found, so I will ask again.

I am using the .75 and .76 DNS servers. I use Firefox, and added in the DNSSEC Validator plug-in. On almost all sites, the plug-in shows that the site is not secured by DNSSEC. Sites include this one, and even comcast.net. A very few sites do show as being secured, so I would think that the plug-in is working.

Can anyone explain what is going on? I would have thought that most sites (especially comcast.net) would show as being secured by DNSSEC.

Hello,

While all Comcast domains are signed, and our caching servers are performing validation, there are some sites that we operate that use global load balancing and content delivery networks like comcast.net. These distributed services currently do not support DNSSEC signing, but we are working to get that support into these systems. You can use some online tools to look at the DNSSEC signing status of sites:

»dnsviz.net/

»dnssec-debugger.verisignlabs.com

Each of these sites will show you have the chain of trust works for a website.

Please let me know if you have any other questions, and thanks for using Comcast DNS.

Thanks
Chris
Comcast


tshirt
Premium,MVM
join:2004-07-11
Snohomish, WA
kudos:4
reply to owlyn

be sure and clear any local cache(s), as they could be directing you back to the insecure version of some sites.



owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
Reviews:
·Comcast

said by tshirt:

be sure and clear any local cache(s), as they could be directing you back to the insecure version of some sites.

I did- at least I think I did. Closed FF and ran ipconfig /flushdns

Anything else?


owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
Reviews:
·Comcast
reply to ctg1701a

said by ctg1701a:

said by owlyn:

I posted this question earlier today, but for some reason, it is nowhere to be found, so I will ask again.

I am using the .75 and .76 DNS servers. I use Firefox, and added in the DNSSEC Validator plug-in. On almost all sites, the plug-in shows that the site is not secured by DNSSEC. Sites include this one, and even comcast.net. A very few sites do show as being secured, so I would think that the plug-in is working.

Can anyone explain what is going on? I would have thought that most sites (especially comcast.net) would show as being secured by DNSSEC.

Hello,

While all Comcast domains are signed, and our caching servers are performing validation, there are some sites that we operate that use global load balancing and content delivery networks like comcast.net. These distributed services currently do not support DNSSEC signing, but we are working to get that support into these systems. You can use some online tools to look at the DNSSEC signing status of sites:

»dnsviz.net/

»dnssec-debugger.verisignlabs.com

Each of these sites will show you have the chain of trust works for a website.

Please let me know if you have any other questions, and thanks for using Comcast DNS.

Thanks
Chris
Comcast

Thanks. This helps, but it sure seems as if almost no sites have properly registered. The only ones I've found that work are the testing sites.

bpratt

join:2006-10-24
Redwood City, CA

If you are looking for end node sites that have DNSSEC signed entries, they are still few and far between. That will change, but right now DNSSEC is mostly deployed higher up the DNS chain.



owlyn
Premium,MVM
join:2004-06-05
Newtown, PA

Thanks to both of you. These replies answer my concerns.