Comcast -- Owner Of NBC Universal -- Admits That DNS Redirects Are Incompatible With DNSSEC
from the well-look-at-that dept
Well, well, well. Here's something interesting. Comcast, who owns NBC Universal (one of the main forces behind SOPA/PIPA), is officially a SOPA/PIPA supporter. However, yesterday, Comcast put up a post congratulating itself (deservedly so!) for completing its DNSSEC deployment, making it "the first large ISP in the North America to have fully implemented" DNSSEC across the board. That's huge, and a clear vote of confidence for DNSSEC, obviously. They also urge others to use DNSSEC:Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names. While in the past those domains may have wanted to do so but felt it would have limited effect, they now can work on signing their domains knowing that the largest ISP in the U.S. can validate those signatures on behalf of our customers.All of this is good... but what may be much more interesting is that, along with this announcement, Comcast has also mentioned that it is shutting down its Domain Helper service. Domain Helper was a somewhat controversial DNS-redirect system, so that when you mistyped something, it would suggest the proper page or alternatives. Many in the internet community complained that these types of redirects mess with the underlying DNS system (which they do). But, as the DNS experts have been saying all along (and NBC Universal has been trying to play down), DNSSEC is incompatible with such DNS redirects. So... that makes this next part a little awkward. Comcast is now admitting, indeed, that DNS redirects, such as Domain Helper, are incompatible with DNSSEC:
When we launched the Domain Helper service, we also set in motion its eventual shutdown due to our plans to launch DNSSEC. Domain Helper has been turned off since DNS response modification tactics, including DNS redirect services, are technically incompatible with DNSSEC and/or create conditions that can be indistinguishable from malicious modifications of DNS traffic (including DNS cache poisoning attacks). Since we want to ensure our customers have the most secure Internet experience, and that if they detect any DNSSEC breakage or error messages that they know to be concerned (rather than not knowing if the breakage/error was "official" and caused by our redirect service or "unofficial" and caused by an attacker), our priority has been placed on DNSSEC deployment -- now automatically protecting our customers...Let's be doubly clear about this, because it's important. Just as NBC Universal and other SOPA supporters continue to insist that DNS redirect is completely compatible with DNSSEC... Comcast (and official SOPA/PIPA supporter) has rolled out DNSSEC, urged others to roll out DNSSEC and turned off its own DNS redirect system, stating clearly that DNS redirect is incompatible with DNSSEC, if you want to keep people secure. In the end, this certainly appears to suggest that Comcast is admitting that it cannot comply with SOPA/PIPA, even as the very same company is advocating for those laws.
It would appear that the left hand (people who actually understand technology) isn't speaking to the right hand (lawyers/lobbyists) within the Comcast family. But, I think that NBC Universal and anyone else insisting that DNS redirects are fine in DNSSEC owe everyone else a pretty big apology... when their own company's experts are admitting that the two are incompatible.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dns, dns blocking, dnssec
Companies: comcast, nbc universal
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Fucking with DNS can generally occur at three points in the network:
1) You can fuck with DNS at the authoritative server for the zone.
2) You can fuck with DNS close to the end-user.
a) At the hosts file or stub resolver, or application software (i.e. browser)
b) At the recursive resolver, contacted by the user's stub resolver
3) You can fuck with DNS somewhere in transit
a) On the wire
b) At intermediate, non-authoritative, caching servers (compare with 2b).
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
If the government modifies the root record, they don't have to worry about uncooperative or hostile ISPs (such as Comcast using a DNSSEC system which is not compatible with redirects or other ISPs with proprietary technology) is all I'm trying to say.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
It depends on what "blocking" means. According to SOPA/PIPA, it means "if someone asks for www.roguesite.com, send them to us instead," and as Comcast's post notes, this looks EXACTLY like malicious redirection at a technical level. DNSSEC works because the domain names are signed and verifiable, and it prevents anyone from sending you to the "wrong" site, even if it's the Government.
I suppose that if "blocking" meant returning a "destination unreachable" error then this would be different, but getting a workable system to just drop traffic seems like a really backwards effort, and there would be no "education" involved (because it would just look like your connection was dead).
[ link to this | view in chronology ]
Re: Re:
It depends on what "blocking" means. According to SOPA/PIPA, it means "if someone asks for www.roguesite.com, send them to us instead," and as Comcast's post notes, this looks EXACTLY like malicious redirection at a technical level. DNSSEC works because the domain names are signed and verifiable, and it prevents anyone from sending you to the "wrong" site, even if it's the Government.
I suppose that if "blocking" meant returning a "destination unreachable" error then this would be different, but getting a workable system to just drop traffic seems like a really backwards effort, and there would be no "education" involved (because it would just look like your connection was dead).
The latter measure is what I understand the bill calls for. ICE engaged in redirects under current, US law. Returning a "destination unreachable" message is what the proposals call for and do not have any DNSSEC security issues that I am aware of. Though that distinction seems to be completely missing in the article.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Ah, but it does. Paul Vixie explains it better than I could: DNS Policy is Hop by Hop; DNS Security is End to End.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Surely only weak governments attempt to fools their citizenry, so am I right in assuming that he is being sarcastic here?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
The United States would, obviously, count as strong here though one might quibble about how strong or representative it is.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Ah, but it does. Paul Vixie explains it better than I could: DNS Policy is Hop by Hop; DNS Security is End to End.
Thanks for the link Rich. I understand that currently malicious sites like spam, malware etc are blocked at the DNS level. If that is true, it's hard to believe that the same blocking provisions are unavailable and not built into DNSSEC. How will child porn be blocked under DNSSEC?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
We tend to say that they're "blocked" -- but they're really not. It's an imprecise use of language that leads to confusion. Let me try to explain.
Suppose that example.com are Evil Wicked Mean Nasty spammers, and that the good guys over at example.net are running a blacklist of such domains. We desire to use that blacklist to stop ourselves from accepting mail from example.com (and many other domains like it). We then configure our mail servers such that when mail is presented to us, we send a DNS query to:
blacklist.example.net
and in that query, we ask for the A record for
INCOMING-MAIL-DOMAIN.bl.example.net
as in (using this example)
example.com.bl.example.net
In other words, we're not querying DNS servers that have anything to do with example.com. We're querying a DNS zone over at example.net (bl.example.net) to see what it says. Typically, we'll get back a response that either says NXDOMAIN (no such entry in the zone, domain is not blacklisted) or 127.0.0.1 (there IS an entry in the zone, domain is blacklisted). Our mail server can decide what it wants to do with that response. It could (a) refuse the message (b) accept the message (c) stash the query result and a get a second or third opinion (d) weight the query along with others or (e) many variations of these.
In other words: the blacklist blocks nothing, permits nothing. It simply gives an advisory opinion, and it's up to us what we do with it. But we tend to abbreviate this process and say things like "mail was blocked by spamhaus.org's blacklist", which is certainly quicker but not really very accurate. By the way, this same mechanism can be used with other application-level protocols; for example, it can used in an HTTP proxy to cut off web access to example.com. But worth noting is that there's no way to compel us to use example.net's blacklist, or any other one: we choose to do so, presumably because we trust that the keepers of that DNS zone are reliable, accurate, etc.
As to how child porn (or anything else) gets blocked with DNSSEC: it doesn't. That's not what DNSSEC does. DNSSEC will let us securely/definitively acquire information about the child porn domain; we then have to decide, elsewhere, what we want to do about it. (This is glibly assuming that the operators of such a site are even using DNS...and that's a pretty big assumption.) One of the ways that we can decide elsewhere is called DNS RPZ (see link that I furnished earlier in the thread).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
When I say "destination unreachable," I'm no longer talking in DNS, I'm talking in TCP/IP. That is, you give them the right street address but then block all the roads that lead there. I don't think that's really a feasible choice; the Internet was designed to route around such "damage," so it would be a massive, backwards, counter-productive effort -- if it's even possible.
What you seem to be talking about is a DNS-level "destination unreachable," where you simply fail to give them the right address. The article that Rich links to talks about what this won't work -- properly functioning DNSSEC will ignore anything but an authoritative, signed response; if you say you don't have the address, DNSSEC will just ask someone else until it finds a signed response.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Thus, ICMP operates at a fairly low level in the Internet's plumbing -- below that of DNS. Which brings up the first problem: you can't block access to a web site using ICMP destination unreachable. You can only block access to a host or network. Which means that if you have a host using shared web hosting, and thus handling web servers for 816 domains, you'll have to block the host -- and thus 815 additional domains.
This works the other way too: suppose you're going after the domain example.com -- which uses round-robin DNS or any other load-balancing trick to resolve the A record for www.example.com to (let's say) 12 different hosts, all of which have mirrors of the web site. You've got to identify and block them all.
And it gets trickier still: a heck of a lot of web sites don't directly serve their own content: they use distributed caches (like Akami). So you've got to block all those too -- which, by the way, will likely block a LOT of other domains.
And then we get to the issue of precisely how you're going to issue these ICMP packets. You can't just inject them randomly and expect hosts to pay any attention to them; you need to generate them on-the-fly, in the right place at the right time with the right contents -- and in response to incoming IP traffic. That's certainly non-trivial.
And even if you could install DPI (deep packet inspection) equipment everywhere, and even if you could manage it all, and even if you could avoid the numerous DDoS vectors that entails, and even if if if...it's all still easily defeated by using botnets.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
DNS should only return unreachable if it can not be reached.
DNS should when working correctly take you directly to the ip address associated with the domain name if the domain is registered and can be connected to.
Law enforcement should not fuck with this in any way. If a site is truly illegal then the court case will find them guilty and if done properly fuck them in the ass so hard they never stick their head out again.
But trying to have a few people decide without a court hearing who to immediately shut up is not a good thing.
If you can not see that you are a moron or a shill.
[ link to this | view in chronology ]
Re: Re: Re: Re:
The true morons/shills would be those politicians supporting this bill and gleefully saying they don't understand the technology and don't WANT to understand it, or get advice from those who do.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
But good point, just need the citation. I find it hard to follow all SOPA versions =(
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Edit: For clarification
[ link to this | view in chronology ]
Re:
left wing Obama newtwork! now it's been more than
a week and I have many emails and none will let me
log in to leave my comment! I hate psmnbc and its
agenda to re-elect this socialist! I guess they
don't believe in free speech and hearing the truth
and other side like all liberals. I say boycott all
psmnbc shows and GE or anybody who advertises on
nbc! F them to hell!
[ link to this | view in chronology ]
Not true at all. They CAN comply with SOPA, they just admit they can't do it and still ensure they can keep people safe/secure.
Clearly the losses from data/identity theft are nothing compared to the losses from copyright theft. C'mon, what's a few thousand people/small businesses being ruined every year compared to the ability of the entertainment conglomerates to limit distribution channels and force content creator to continue to relinquish their rights, and to limit choice for consumers to create artificial premiums?
Think of the poor CEO's and lobbyists.
[ link to this | view in chronology ]
Re:
Yes, think about the 1%. Surely the needs of the few out weigh the needs of the many?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Worth following in this regard, these mailing lists:
DNSEXT
DNSOP
DANE
DNS operations
BIND users
BIND announcements
These are the places where topics related to DNS and DNS software are discussed, frequently by the people crafting the standards and writing the code.
[ link to this | view in chronology ]
I was really looking forward to its passage and then do my very best to ensure Rick Perry is elected; then move to Canada and laugh.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
FTFY
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Tor already proxies DNS, to avoid side-channel leakage.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
It turns out that serving up huge databases on demand to the entire Internet is a hard problem. That's why DNS exists -- back in the old days, we actually all used a single "hosts" file that we periodically FTP'd to our servers from a central maintainer's system. DNS is, in part, a response to the scalability issues of that setup.
Fast-forward a few decades, and it's still a hard problem. Running a DNS zone with a hundred million entries and efficiently answering queries directed to it and updating it often and accurately and defending it from DoS attacks is a formidable challenge.
And even meeting that challenge (which only a few have done, and then only after a lot of effort and/or expense), still doesn't mean that the desired result will be achieved -- not in a world with of bots/botnets, which can neatly undercut all of it at will.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
ICE, DOJ, SOPA supporters
[ link to this | view in chronology ]
I think this is the left hand slyly showing their displeasure with SOPA. What better way for the Comcast technical experts to piss on this bill than to implement the next generation of internet security and then throw their hands up with "there's nothing we can do!" if SOPA passes.
[ link to this | view in chronology ]
Should be an, not and.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
See also: words that have never been uttered, ever.
[ link to this | view in chronology ]
[ link to this | view in chronology ]