This is not a NASA Website. You might learn something. It's YOUR space agency. Get involved. Take it back. Make it work - for YOU.
IT/Web

Comcast Blocks Customer Access to NASA.gov

By Keith Cowing
NASA Watch
January 18, 2012
Filed under ,

Keith’s note: Comcast has decided to block customer access to *.NASA.gov due, I am told, to an issue involving how NASA maintains its DNS records. Why these geniuses at Comcast chose the SOPA/PIPA protest day to do this is curious to say the least. Right now, if you are a Comcast customer, you are being purposefully denied access to one part of your government’s services.
Keith’s update: I have confirmed this via IT professionals at NASA and in several places across the U.S. that Comcast DNS is broken – but only for NASA.gov, it would seem.
Keith’s update: Alan Boyle from MSNBC tweeted some good advice – change your DNS setting to Google’s Public DNS. Info here.
Keith’s update: Everything works again. Apparently NASA provided an update key for DNS and the new key did not match the Comcast key. So Comcast simply cut off DNS access for all of its customers to everything at NASA.gov. The old key has been sent by NASA and everything works again – so far.

NASA Watch founder, Explorers Club Fellow, ex-NASA, Away Teams, Journalist, Space & Astrobiology, Lapsed climber.

16 responses to “Comcast Blocks Customer Access to NASA.gov”

  1. ShaneM says:
    0
    0

    I just ran into this but it wasn’t just NASA.  I had problems accessing a lot of pages around the net, including Google and FB.  So I don’t think it was something specifically directed at NASA, at least in my experience.

  2. Michael C says:
    0
    0

    They are about to lose a customer, given that I work for NASA and now cannot see my own web sites or work mail from home. Effing idiots…

    • marka says:
      0
      0

      Perhaps you should be staying with Comast as they are one of the few ISP’s that are actually trying to make sure that the DNS answers that receive have not been compromised.

  3. rktsci says:
    0
    0

    If you run DNSSEC analysis tools, you will find the following problem in NASA’s chain of trust, according to Verisign Lab’s debugger tool:
    “The DNSKEY RRset was not signed by any keys in the chain-of-trust”.

    The tools is at: http://dnssec-debugger.veri

  4. ben reytblat says:
    0
    0

    yep, just had a fascinating IM chat with one of the front-line tech support reps. they have no clue.

  5. Marti says:
    0
    0

    not true. I can still access NASA.gov

  6. Eric Fielding says:
    0
    0

    A colleague just reported that she could not reach my .nasa.gov site, so this is definitely happening. Nice.

  7. All Saints Episcopal says:
    0
    0

    I am a Comcast subscriber, and I don’t have any trouble getting to Nasa.gov.

  8. hikingmike says:
    0
    0

    There is also OpenDNS
    http://www.opendns.com/

  9. eech1234 says:
    0
    0

    Nothing new, I used to use Comcast for several years before switching to Verizon FiOS.  I still run into issues, but they were much more frequent under Comcast, and DNS was usually the culprit.  Once switching to OpenDNS most of the problems went away.

    • marka says:
      0
      0

      This was no a Comcast error.  NASA botched a DNSSEC key rollover.  You don’t stop using the current DNSKEY before the parent zone has
      published the DS records for the new DNSKEY.

  10. meekGee says:
    0
    0

    yeesh, what does this have to do with SOPA?
    Everyone is worried about security.  A signature key did not match.  They have a system configured to not resolve until it matches.  It was noticed, and the key fixed.  What’s the big deal? If the NASA site would have been impersonated, everyone would be on their case for not checking if the keys really match, and Keith would be in their face about “what do they think these keys are for?”Disclaimer – I didn’t check what the keys mean – just noticed that there was no argument that there was a discrepancy.

  11. Scott Hopkins says:
    0
    0

    Yes, it appears this was due to Comcast implementing DNSSEC… Hate to say it, but NASA was in the wrong here…  If you’re going to spend the effort to sign your DNS records, you really should get it right…

  12. Packets Fun says:
    0
    0

    Looks like it was NASA’s fault.

    http://forums.comcast.com/t

  13. fredm6463 says:
    0
    0

    I have Time Warner which never had NASA channel.
    Cancelled my cable about 2 years ago.

    Get NASA TV via ROKU Internet streaming box.

  14. marka says:
    0
    0

    More correctly,  NASA failed to ensure that the DS records for NASA.GOV matched the DNSKEY records for NASA.GOV.  Comcast just lookup up the published information and detected the discrepancy and correctly refused to return answers which did not validate as correct.

    As for changing your DNS servers, you need to wonder if you can really trust DNS servers that failed to detect this.  What else are they failing to detect?