Deploy360 25 January 2012

Comcast Releases Detailed Analysis of DNSSEC Validation Failure

By Dan YorkDirector, Internet Technology

Comcast dnssecDid you see all the tweets and mentions on the web last week about Comcast apparently blocking NASA’s website on their network? While it made for great headlines, the truth was that there was an error with the DNSSEC signing of the domain and now that Comcast has deployed DNSSEC-validating DNS servers those DNS servers were correctly responding with a failure and blocking access to the site.

Comcast alerted the administrators of the site and worked with them to resolve the issue. Comcast’s DNS Engineering team has now issued a very helpful analysis of the DNSSEC validation failure. As they outline in part of the executive summary:

On January 18, 2012, the NASA.GOV domain had a DNS Security Extensions (DNSSEC) signing error that blocked access to all NASA.GOV sites when using DNS recursive resolvers performing DNSSEC validation. As one of the largest ISPs in the world utilizing DNSSEC validation, users of Comcast noticed a problem when attempting to connect to the website. This caused some people to incorrectly interpret this as Comcast purposely blocking access to NASA.GOV and recommending users switch from Comcast security-aware DNS resolvers to resolvers not performing DNSSEC validation … Instead, the administrators of the NASA.GOV domain had enabled DNSSEC signing for their domain, and the security signatures in their domain were no longer valid. The Comcast DNS resolvers correctly identified the DNSSEC signature errors and responded with a failure to Comcast customers. This is the expected result when a domain can no longer be validated, and this protects users from a potential security threat.

The document then goes on at some length to explain how Comcast monitors for DNSSEC validation failures, how the domain failed, how the issue was resolved and how users responded to the issue. The document includes a number of charts from DNSViz showing the precise error in the DNSSEC chain-of-trust and then interestingly includes examples of the web and Twitter reaction to the problem.

In a message to the dnssec-deployment mailing list announcing the release of this document, Comcast’s Jason Livingood stated:

Since we feel that the entire Internet community has room for improvement on signing processes (not to single out NASA), we decided to start doing failure analyses here and there – and share them with the community in the hope that it will help bring greater operational scrutiny and maturity to DNSSEC signing processes.

Kudos to the Comcast DNS Engineering team for releasing this analysis as it is indeed quite helpful to understand how DNSSEC validation failed, what the user experience was and how the issue was resolved. We look forward to seeing more of these types of analysis documents as the global DNSSEC rollout continues. Sharing this level of detail will definitely help others who encounter similar situations and will only make the DNSSEC system that much stronger.

Want to learn more about DNSSEC? View our DNSSEC-related resources, including tutorials, videos and more…

UPDATE: Dark Reading also put up a good post today on this topic: DNSSEC Error Caused NASA Website To Be Blocked

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...