[Dnssec-deployment] Comcast Begins DNSSEC Rollout

[Doug Barton]

On 10/19/2010 2:05 AM, Mats.Dufberg at teliasonera.com wrote:
> Congratulations and welcome to the crowd of validating ISP's!
>
> On the lists there has been some voice warning for the customers' reactions when something fails through Comcast but not at some other connection.
>
> TeliaSonera is the major ISP in Sweden and our DNS resolvers have been validating all customers' requests since June 2007. Until September this year we used the .SE key as trust anchor, now we use the root key as trust anchor. We have now and then received calls from customers complaining that some domain fails with us but not at some other place. We have used the .SE tool DNScheck (<http://dnscheck.iis.se/?setLanguage=en>) to show that the problem sits in the domain. The customers have accepted that we are not to blaim, and there has been no negative press due to the fact that we validate.
>
> If there is a major DNSsec failure in some TLD that has any importance in Sweden, I am sure that the press will point out the cause of failed DNS resolution.

That sounds like a very reasonable approach. Do you try to educate the 
users about DNSSEC at all? Obviously the depth of detail is not 
desirable, but I could see where an approach like, "We use the most 
sophisticated technology available which helps protect you from going to 
a different site pretending to be your {bank|podiatrist|etc.}" might be 
useful.


Doug

-- 

Breadth of IT experience, and    |   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |		-- OK Go
http://SupersetSolutions.com/