11.03.2015 14:05

One quick note on DNSSEC Validation failures

I wrote back in 2010 that ISPs should prepare for the inevitable backlash if their DNSSEC-aware resolvers black out an important domain.

We now had just such a case: the protagonists make it even juicier than I imagined: Comcast customers could not access the new HBO website where they could get the HBO programming without paying for a full cable TV package.

Accusation were flying, emergency debugging and cache clearing ensued and we're now in the "What went wrong?" and "./ style discussions" stage.

It looks like Comcast weathered that storm pretty well. This may be a result of good social media work, a quick fix from HBO, and the fact that Google's 8.8.8.8 nameserver also does DNSSEC validation.

Author: Otmar Lendl