Comcast Blocks Customer Access to NASA.gov
Keith’s note: Comcast has decided to block customer access to *.NASA.gov due, I am told, to an issue involving how NASA maintains its DNS records. Why these geniuses at Comcast chose the SOPA/PIPA protest day to do this is curious to say the least. Right now, if you are a Comcast customer, you are being purposefully denied access to one part of your government’s services.
Keith’s update: I have confirmed this via IT professionals at NASA and in several places across the U.S. that Comcast DNS is broken – but only for NASA.gov, it would seem.
Keith’s update: Alan Boyle from MSNBC tweeted some good advice – change your DNS setting to Google’s Public DNS. Info here.
Keith’s update: Everything works again. Apparently NASA provided an update key for DNS and the new key did not match the Comcast key. So Comcast simply cut off DNS access for all of its customers to everything at NASA.gov. The old key has been sent by NASA and everything works again – so far.
I just ran into this but it wasn’t just NASA. I had problems accessing a lot of pages around the net, including Google and FB. So I don’t think it was something specifically directed at NASA, at least in my experience.
They are about to lose a customer, given that I work for NASA and now cannot see my own web sites or work mail from home. Effing idiots…
Perhaps you should be staying with Comast as they are one of the few ISP’s that are actually trying to make sure that the DNS answers that receive have not been compromised.
If you run DNSSEC analysis tools, you will find the following problem in NASA’s chain of trust, according to Verisign Lab’s debugger tool:
“The DNSKEY RRset was not signed by any keys in the chain-of-trust”.
The tools is at: http://dnssec-debugger.veri…
yep, just had a fascinating IM chat with one of the front-line tech support reps. they have no clue.
not true. I can still access NASA.gov
A colleague just reported that she could not reach my .nasa.gov site, so this is definitely happening. Nice.
I am a Comcast subscriber, and I don’t have any trouble getting to Nasa.gov.
There is also OpenDNS
http://www.opendns.com/
Nothing new, I used to use Comcast for several years before switching to Verizon FiOS. I still run into issues, but they were much more frequent under Comcast, and DNS was usually the culprit. Once switching to OpenDNS most of the problems went away.
This was no a Comcast error. NASA botched a DNSSEC key rollover. You don’t stop using the current DNSKEY before the parent zone has
published the DS records for the new DNSKEY.
yeesh, what does this have to do with SOPA?
Everyone is worried about security. A signature key did not match. They have a system configured to not resolve until it matches. It was noticed, and the key fixed. What’s the big deal? If the NASA site would have been impersonated, everyone would be on their case for not checking if the keys really match, and Keith would be in their face about “what do they think these keys are for?”Disclaimer – I didn’t check what the keys mean – just noticed that there was no argument that there was a discrepancy.
Yes, it appears this was due to Comcast implementing DNSSEC… Hate to say it, but NASA was in the wrong here… If you’re going to spend the effort to sign your DNS records, you really should get it right…
Looks like it was NASA’s fault.
http://forums.comcast.com/t…
I have Time Warner which never had NASA channel.
Cancelled my cable about 2 years ago.
Get NASA TV via ROKU Internet streaming box.
More correctly, NASA failed to ensure that the DS records for NASA.GOV matched the DNSKEY records for NASA.GOV. Comcast just lookup up the published information and detected the discrepancy and correctly refused to return answers which did not validate as correct.
As for changing your DNS servers, you need to wonder if you can really trust DNS servers that failed to detect this. What else are they failing to detect?