

Pro-SOPA Comcast just implemented SOPA-incompatible DNSSEC - frooboy
http://www.itworld.com/security/240789/sopa-might-force-choice-stop-cyberspies-bank-robbers-and-id-thieves-or-stop-illegal-

======
modeless
Wow, Comcast voluntarily switched to DNSSEC even though it required them to
shut off their DNS-hijacking ad servers? They just went up a few notches in my
eyes. ([http://blog.comcast.com/2012/01/comcast-domain-helper-
shuts-...](http://blog.comcast.com/2012/01/comcast-domain-helper-shuts-
down.html))

~~~
whichdan
I use Comcast (I'm in Boston) and I once called their phone support to see if
I could get the "Domain Helper" disabled, and the tech had no idea what I was
talking about. Switching to Google's DNS servers helped.

~~~
blutonium
I had the same experience. Bumped to a manager that had me log in and disable
it. A month later, it was on again.

~~~
ars
I disabled mine a long time ago and it didn't go back on, it was very easy to
do.

------
pjscott
DNSSEC prevents spoofing (as does HTTPS), but that's about all it does that's
relevant to SOPA. This may prevent a particular mechanism of SOPA enforcement,
but that's easy enough for the government to work around, in theory.

~~~
wmf
Exactly. If an ISP simply returns an error for lookups of a blacklisted
domain, DNSSEC shouldn't complain; it will just think there's a DNS outage.

Since no one has read it, here's the relevant text: "A service provider shall
take technically feasible and reasonable measures designed to prevent access
by its subscribers located within the United States to the foreign infringing
site (or portion thereof) that is subject to the order, including measures
designed to prevent the domain name of the foreign infringing site (or portion
thereof) from resolving to that domain name's Internet Protocol address." (I
wonder if I am now cursed.)

~~~
newhouseb
Right, I don't know know how most DNS client implementations handle time-outs
but this could range from not mattering at all to degrading the performance of
everything - imagine if twitter was taken down, then half the world's websites
(I'm exaggerating a bit) that reference Twitter buttons would grind to a
standstill (try browsing things like TechCrunch in China and you'll see this).

If ISPs wanted to avoid this scenario, it would essentially require fracturing
DNS[SEC] into something the US Govt has the authority to sign properly without
effecting the rest of the world - in other words a completely divided national
internet.

Or we could just all switch to using DNSSEC servers on the Barbados Islands or
something in the future.

~~~
wmf
I'm not talking about timeouts; I'm talking about immediately returning an
error (apparently DNSSEC will break if you return NXDOMAIN, but there are
other error codes). If browsers retry or hang after getting a DNS error, I
guess they'll have to be fixed.

~~~
newhouseb
How do you mean 'break'? As I understand it, NXDOMAIN also has to be signed
with a trust chain back to a root authority. I guess what I don't know enough
to answer is if there are other equally sufficient error codes that don't
require a trust chain (which would be surprising because allowing any non-
trusted responses would seem to defeat the entire purpose of a non-tamperable
DNS service)

~~~
pyre
I think that DNSSEC is more concerned with preventing DNS poisoning and man-
in-the-middle attacks than with using NXDOMAIN to block access.

------
DarkShikari
Even if DNSSEC and SOPA were mutually exclusive in all aspects (which they are
not), being pro-SOPA does not mean Comcast cannot also prepare for the case
where SOPA fails to pass.

------
msredmond
Does this link actually work for anyone? I'm just getting the sites home page
(and don't see that story in quick scroll)

------
simcop2387
I find this more interesting not from a SOPA standpoint but because comcast
has in the past given me false responses instead of NXDOMAIN. Anyone happen to
know if this could prevent such a thing, or at least provide a mechanism of
testing for it other than blacklisting an IP?

~~~
sp332
They would have to give some kind of error code that indicates that the DNS
server isn't working. Any false assertion about DNS results, including false
NXDOMAIN responses, will break DNSSEC (your computer would notice that the
response has been forged).

~~~
tedunangst
And what do you do after detecting a forged NXDOMAIN response? You still don't
have the IP address you wanted.

~~~
marshray
Complain.

Look for other DNS resolvers.

(human and/or automated processes)

------
privacyguru
Props to Comcast and NOT to Congress if they pass either of these.

[http://www.securityweek.com/dnssecs-time-here-sopa-
presents-...](http://www.securityweek.com/dnssecs-time-here-sopa-presents-
challenges)

------
snowwrestler
It's actually not incompatible with SOPA. The bill demands that ISPs block DNS
routing for certain domains. Returning no response to a DNS request would not
break DNSSEC. It would just look like that site did not exist.

Some people have proposed that instead of blocking DNS, ISPs should redirect a
DNS request. That would be incompatible with DNSSEC--but that requirement is
not in the bill.

