[Dnssec-deployment] Comcast Begins DNSSEC Rollout

David Conrad drc at virtualized.org
Mon Oct 18 22:54:09 EDT 2010


Thierry,

On Oct 18, 2010, at 1:51 PM, Thierry Moreau wrote:
>> But as long as Verizon,
>> AT&T and others don't validate as well, your customer will notice that he
>> can't do online-banking while his neighbor on DSL can.
> Isn't DNSSEC intended to prevent pharming attacks?

Technically, no. That's a side effect of what DNSSEC does provide.

> Then the converse of the above will occur, to the benefit of Comcast: BigBankUSA.com will see its customers victimized through ISPs that do not validate. Comcast connected online banking clients will be less vulnerable.

This will matter only if the folks not using Comcast realize they've been victimized by an attack that Comcast protected against. I figure the vast majority of folks haven't the slightest idea how they've been victimized.  It might be useful for Comcast to widely publicize any attacks that DNSSEC actively prevents -- both to show how well Comcast's infrastructure is protecting customers as well as encourage other ISPs to take the same steps.

> Congratulations to Comcast for this leadership.

I agree.  Very good job. I just hope the number of arrows Comcast suffers for being leaders doesn't kill the effort...

Regards,
-drc



More information about the Dnssec-deployment mailing list