Comcast Migrating Customers To DNSSEC Resolvers

ctg1701 passes along this quote from a Comcast announcement: "Starting today we will begin migrating customers who have opted out of our Domain Helper service over to our production DNSSEC-validating servers. This will happen first in a selected part of our Virginia network, and will later expand to all markets in the following sixty days, at which point all of our customers who have opted out of Domain Helper will be migrated. After this has been completed, we will migrate the rest of our customers, which we anticipate will stretch into the early part of 2011."

What is this?

[mark72005]

For those of us on Comcast, what does this mean?

Whenever I am offered the opportunity to opt out of something by a company, I know it's probably a good idea to opt out.

Also, I've had very flaky internet service the past week or so, although I am not in this market (Minneapolis area). My equipment all seems to work fine, and of course there could be any number of causes, but this seems interesting.

Re:

[Entropius]

My parents have had intermittent connectivity in Alabama these last few days, which is a Big Deal since they have Vonage for phone service. Comcast blames it on the analog-digital switchover, which is horseshit.

Re:

[AdmiralXyz]

If you haven't opted out of Domain Helper ("helpfully" redirecting your 404's to advertising), it doesn't mean anything yet. If you are, it means your DNS lookups are going to be done over a secure channel, which in theory makes it much more difficult to perform DNS redirection attacks (where you look up www.google.com but a hiacking means that you get back the IP address for http://ebay.spamwarezdeath.ru./ [ebay.spamwarezdeath.ru] In short, it's a Good Thing ;)

Re:

[popeye44]

Which I am assuming matters not a whit to those of us using OpenDNS.

I've been extremely happy with Opendns so far. "and entirely unhappy with Comcast's opt-out method"

Re:

[modmans2ndcoming]

In Metro Detroit I have Comcast, WOW, and ATT Uverse. Comcast is easily 50 dollars cheaper than Uverse and for the package level I am at, Comcast is cheaper than WOW, not to mention the better onDemand and Internet Media.

Re:

[ScrewMaster]

In Metro Detroit I have Comcast, WOW, and ATT Uverse. Comcast is easily 50 dollars cheaper than Uverse and for the package level I am at, Comcast is cheaper than WOW, not to mention the better onDemand and Internet Media.

Where I am I've had the exact opposite experience. Comcast fucked with my service, jacked up my rates, gave me dismal picture quality, and in the end I couldn't wait to get U-Verse. Finally it came to my area, and I switched on the spot. Not looking back either. Competition is good, actually.

Re:

[mark72005]

No Uverse here yet, but other friends have had the same experience. Canning cable gave them more channels, more boxes, better quality for less money.

Re:What is this?

[ctg1701]

For those of us on Comcast, what does this mean?

Whenever I am offered the opportunity to opt out of something by a company, I know it's probably a good idea to opt out.

Also, I've had very flaky internet service the past week or so, although I am not in this market (Minneapolis area). My equipment all seems to work fine, and of course there could be any number of causes, but this seems interesting.

DNSSEC security is an Internet standard and it means that we are enabling it for our domains and will validate others once it is rolled out globally. I suggest you read through http://www.dnssec.comcast.net/faq.htm which explains why we are rolling this out and what it means for our customers.

Thanks

Chris
Comcast

Pitchforks and torches. Nice job, /.

[Caerdwyn]

Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?

Because guys that run DNS servers are obviously the guys who are responsible for video quality-of-service. Same field, and Comcast has only a couple of engineers running their entire network. I bet Chris also is responsible for designing their logos and what's in their cafeterias and whether the cable installers show up on time.

The topic is DNSSEC, not bandwidth caps or video compression or network traffic filtering.

I would have thought that having a primary source, an engineer relevant to the discussion, was welcome. Instead, it's an excuse to get out the haters. IT guys complain about how they're the ones that take the heat for corporate decisions which they don't control, but the moment it's someone else's IT guy, that person gets the heat for corporate decisions which they don't control. Nice consistency there. What's YOUR company, so we know who YOU are a "shill" for?

I'd be surprised if we hear from Chris again. I know I wouldn't come back. Screw Slashdotters, they don't want information or answers, they want scapegoats and straw men.

Whether Comcast, EFF or the Nazis use DNSSEC is irrelevant to the merits and flaws of DNSSEC. Whether Comcast uses DNSSEC is irrelevant to whether they use ad-readirectors for NXDOMAIN results.

By the way, I think I worked on the DNS server and service that Comcast is using for this, at my previous job. I guess that makes me a shill too. But I'll be damned if I'm going to share anything useful about it, even things that aren't under NDA, to Slashdot.

Re:

[Wyatt Earp]

The dude from Comcast's rote answer to questions was to post links to Comcast's PR.

As for my company and who I shill for, that's easy. I'm a public sector education and video teleconferencing goblin in the 49th state. And I shill for children with low incidence disabilities who are using technology.

Re:

[AlamedaStone]

The dude from Comcast's rote answer to questions was to post links to Comcast's PR.

As for my company and who I shill for, that's easy. I'm a public sector education and video teleconferencing goblin in the 49th state. And I shill for children with low incidence disabilities who are using technology.

Another K Street fatcat, lobbying for Big Pediatric Disability.

You people make me sick.

Re:

[AltairDusk]

His "rote answer" was a perfectly acceptable and useful response to the question he quoted (notice that it was modded +5 Informative). Furthermore he did not attempt to trick anyone by hiding his association with Comcast, he openly provided the information so that any possible bias can be estimated and accounted for by the reader.

Re:What is this?

[ctg1701]

Stop posting press release posts.

Here is some non-Comcastic information - http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions [wikipedia.org]

Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?

Actually I have been working in the IETF to help provide better methods for P2P to work on ISP networks after the issues with the TCP reset packets a few years ago. I am sure you can look up some of the RFC items if you search for them.

If you have a problem with your HD quality, I suggest getting someone to come look at that. Given I am an Internet Engineer, I don't work on that side of the business.

Thanks

Chris
Comcast

Re:What is this?

[ctg1701]

Stop posting press release posts.

Here is some non-Comcastic information - http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions [wikipedia.org]

Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?

I also should mention that reading Wikipedia isn't the most reliable source, although that one is fairly good. I might suggest looking at the following if you don't care for Comcast's write up:

https://www.dnssec-deployment.org/

or the RFCs:

http://tools.ietf.org/html/rfc4033
http://tools.ietf.org/html/rfc4034
http://tools.ietf.org/html/rfc4035

Thanks

Chris
Comcast

Re:

[commodore64_love]

I use the Channel Master CM4228 which sits right next to my set on its own stand. It can get channels 7-51

You won't get many channels in Alaska. Might be better of going with Dish Network for just $32.50 per month.

Re:

[ZorinLynx]

One of the inherent problems with cable internet is that it's a shared medium. One bad fitting, or a customer with malfunctioning equipment can ruin the experience for EVERYONE on the node. And in some systems you can have thousands of customers on one node.

It's irritating that cable and DSL are the only options here, and DSL is from AT&T who refuses to provide anything faster than 6000/512k around here. I've been lucky so far on Comcast with my 16000/2000k business connection, but I just know that ther

Re:

[ZorinLynx]

I'm not talking about load problems, I'm talking about plant problems. Bad or marginal cable plant affects everyone, and it's a fact of life that problems start to crop up as the system ages.

Re:

[nurb432]

The way it sounds, opt-out is only for the short term anyway.

But i also wonder what practical issues its going to cause me on a daily basis.

Re:What is this?

[ctg1701]

What this means is that COMCST is now going to tell their customers that your only allowed to visit websites that have joined the system. They may be selling this as security, but make no mistake this is also a huge control system. I may have to cancel my service with them, when this happens. The simply fact is you may have some legimate website who choose willfully NOT to partake in such a control scheme. I may need to visit such a site and COMCST is going to essentially tell me I can't visit that site. No thanks, I don't need a big brother. I'm an adult and I can take care of my own computers and I don't need COMCST protecting me. I don't give a crap what they say, I alone should have the right to decide where I can and can't go on the internet, unless of course you don't believe in freedom. Just give me the fully open internet service I pay for ya dern COMCST Commies!!! Quit interferring with my traffic.

-Anonymous Coward (yeah right like they can't track you down by your ip the way the RIAA is racketering everybody)

You have clearly not read anything about DNSSEC and how this actually ensures you get the traffic you requested without anyone - including Comcast - interfering with your DNS requests. I highly recommend you read http://www.dnssec.comcast.net/faq.htm so you can understand why we are doing this and why the global Internet and DNS is moving to this standard.

Thanks

Chris
Comcast

Re:

[kevmeister]

As a network engineer not beholden to Comcast (except as a customer) who has spent considerable time implementing DNSSEC for a non-commercial network, DNSSEC completely removes the ability of the carrier to mess with DNS responses. You can be certain that, if a systems DNS data is signed and the public key has been passed to the delegating zone, the DNS response is correct and authoritative. If it is not signed and the public key supplied, DNSEC has NO effect at all.

In computer security circles Comcast

Re:

[beadfulthings]

OK, since you've clearly identified yourself, I'm going to write this with as much civility as I can muster. As I've already stated in this discussion, I'm a "home-business" subscriber. Frankly, I've had excellent support and follow-up from non-technical contacts, while technical support has been truly abysmal (while trying to opt-out of "Domain Helper"). Would you point us to either (a) written documentation or (b) phone information that would provide information on how to use the "business gateway" to con

Re:What is this?

[ctg1701]

Oh great. CCast sent shills already.

Actually I am one of the engineers that run the DNS at Comcast, but if you consider me a shill, so be it.

Re:

[cecom]

Good luck getting respect on Slashdot :-)

For what its worth, I have been a happy Comcast customer for years. My connection has been getting faster and recently (quite surprisingly) even more reliable.

I like how Comcast approached the IPv6 transition testing and I like what they are doing with DNSSEC.

Nothing is perfect in this world, of course, but you guys are doing a good job. So, thank you.

I used to work for CableVision Chris

[Anonymous Coward]

Actually I am one of the engineers that run the DNS at Comcast, but if you consider me a shill, so be it." - by ctg1701 (311736) on Monday October 18, @06:07PM (#33939512)

Well, at least YOU admitted that you work for COMCAST Chris... HOWEVER:

You also didn't admit what I strongly suspect is true though (myself having worked for CableVision, a like member of your industry in telecommunications)... what is that? Well, ok!

That You are one of your staff, one of a VERY SELECT FEW in fact, who is ALLOWED to speak here on this issue, & others in your firm, specifically lower level techs is my guess, were also STRICTLY WARNED to steer clear of commenting on this publicly online,

Re:

[cheese_wallet]

are you the timecube guy?

Re:

[Anachragnome]

"...Actually I am one of the engineers that run the DNS at Comcast..."

Until tomorrow morning, at which time you will be fired on the spot for actually providing useful information to Comcast customers.

Re:What is this?

[modmans2ndcoming]

when did Slashdot get populated with a bunch of morons who can't change a freaking router DNS setting?

Re:

[ctg1701]

Comcast must have a pretty active presence here- modded to oblivion because I engaged their rep in a public forum.

That is actually pretty funny. At least you have a sense of humor :-)

Re:What is this?

[billcopc]

Dude, I don't even live in the same country, and I'd have modded you down for turning a corporate matter into a personal attack. Comcast is big, and chances are this fellow had no choice but to carry out his orders. If he doesn't do as he is told, a more compliant replacement will be found.

If you hate the company so much, don't take it out on the worker bees, just take your money and go elsewhere. Don't like the alternatives ? Well tough tits, either start your own ISP or STFU. Bitching at a sysadmin will not get you anywhere, at best you will browbeat someone who doesn't deserve your ire, at worst he will mess with your service like any self-respecting BOFH should.

Re:

[RichiH]

> Comcast must have a pretty active presence here- modded to oblivion because I engaged their rep in a public forum.

That, or because the people with mod points understood that you are merely trolling an engineer for business-level decisions.

The fact that you are unable to use a non-default DNS server is not his fault. And trolling this person _in a thread which talks about DNS faking being phased out_.... Instant classic. Or -1 troll.

Re:

[ctg1701]

Are you guys running any tests in Seattle at night? DNS lookups regularly fail after midnight and are generally really spotty from midnight on. It's not a connectivity issue because I can always ssh using an ip address even when my web browser can't load pages due to lookup failures.

No we are not running any tests and our DNS is up and responding. If you are having issues, I would suggest stopping by our customer forums at http://forums.comcast.net to get help.

Thanks

Chris
Comcast

Re:

[modmans2ndcoming]

why would someone want any security through obscurity? It isn't real security.

Re:

[hardaker]

Ok, here: I'm not with comcast and the original post was just insanely uninformed. Go read *anywhere* else about dnssec and you'll find that comcast will have a hard time figuring out how turning it on can be a bad thing.

Re:

[Wannabe Code Monkey]

Oh great. CCast sent shills already.

What are you smoking? He came right out and stated where he worked. Do you know what a shill is? He also presented verifiable technical information on exactly what they're doing.

Re:

[andymadigan]

I'm not a Comcast Shill, I don't like a comcast area, and I can definitively say that is not how DNS SEC works. Checking against a database like that would be the worst possible security system imagined since autorun-based DRM.

No one can be this stupid, GTFO troll.

Re:

[andymadigan]

Bleh, sorry, that should have said "I don't live in a Comcast area".

domain helper?

[bhcompy]

Domain helper.. is that the crap that automatically relocates you to some ad serving search website when you input an unrecognized dns in the web browser? That kind of crap is why I switched to 4.1.1.1

Re:domain helper?

[ctg1701]

Domain helper.. is that the crap that automatically relocates you to some ad serving search website when you input an unrecognized dns in the web browser? That kind of crap is why I switched to 4.1.1.1

We will be disabling Domain Helper on our recursive resolvers and you will also get DNSSEC validation by using our Anycast resolvers. There is no redirection and you will also get the protections enabled by DNSSEC.

Thanks

Chris
Comcast

Re:

[jonwil]

Good to see at least one ISP realizing that returning anything other than NXDOMAIN for non-existant domains is a VERY bad idea. I hope other ISPs (and DNS providers and registrars) see sense and disable their wildcarding.

Doesn't make Comcast any less evil though (they wont stop being evil until they stop messing with BitTorrent, stop fighting any efforts to create competitors in their areas and adopt the principles of Net Neutrality)

Different subject: Speed

[Burz]

Would you mind commenting on why, over 9 years at several different Comcast-served residences, using DHCP in my routers to get and forward DNS server numbers to my systems has resulted in extremely slow lookups? I'm talking easily 5+ seconds per lookup with some complex web pages taking more than a minute to load.

I never had this problem with Verizon or Charter. The only solution for getting decent DNS performance on Comcast has been to use non-Comcast servers.

Re:

[jecowa]

I use 4.2.2.1-6. It's twice as fast as my ISP's default DNS server and has no ads.

Re:

[fyrewulff]

Weren't they talking about restricting it to their customers though (I believe 4.1.1.x is owned by Level3). Or did they change their mind on that?

Some more information...

[cobrausn]

Had no idea what it was either until I read this. http://blogs.techrepublic.com.com/networking/?p=234 [com.com]

This is a GOOD thing

[Anonymous Coward]

I've been using these months while they've been available for testing. The very nature of DNSSEC kills the 404 helper service, and provides an extra level of security. For anyone that wants to use them now without being migrated automatically someday, just use 75.75.75.75 and 75.75.76.76 for the DNS.

Re:

[ctg1701]

I've been using these months while they've been available for testing. The very nature of DNSSEC kills the 404 helper service, and provides an extra level of security. For anyone that wants to use them now without being migrated automatically someday, just use 75.75.75.75 and 75.75.76.76 for the DNS.

Absolutely correct, and hopefully people realize that we want to make your Internet service a better and safer experience.

DNSSEC Service Resolvers

[Anonymous Coward]

Am I tired already? I read that title as "Revolvers", and I wondered what the hell Comcast was doing selling handguns to people. For about thirty seconds. Then I wondered what the hell a "DNSSEC" revolver was for another thirty seconds. Then I smacked myself, re-read the thread title, and decided to make this utterly pointless post.

Sleep deprivation is a wonderful thing...

Re:

[fast turtle]

you think that's bad? I had one the other day that was embarassing as hell. Read Cub Scouts as Cum Scouts on a bumper sticker.

Re:

[John Hasler]

Try not reading bumper-stickers out loud.

Thanks for telling me.

[wdhowellsr]

I'm a Comcast subscriber and have had problems with DNS resolution. Just changed to the new DNS servers and magically it is about twenty times faster.

Cricket seems faster

[mdsolar]

I switched from Comcast to Cricket because the Comcast service was so unreliable. In the end, they could not even get a TV signal through reliably. But that is another story. What I notice though is that even when Comcast was working up to advertised speed, the name server delays were really bad. So, even with lower bandwidth, Cricket seems faster because their name servers work. Hope this move by Comcast makes an improvement.

From Comcast's DNSSEC FAQ

[HockeyPuck]

After reading their FAQ [comcast.net], looks like Comcast is doing the right thing and also admitting the DNS Redirector/Helper wasn't the right solution.

Are customers who have opted in to or out of Comcast Domain Helper impacted by this?

* When DNSSEC is deployed on all of our DNS servers, the web error redirect function at the core of Comcast Domain Helper will be disabled, as this is not technically compatible with DNSSEC.
* Customers that have opted out of Domai

I got this today

[Ritchie70]

I'm in a Chicago suburb and got this today:

This is a courtesy email to let you know that Comcast's DNS servers are changing to servers that use DNS Security Extensions (DNSSEC), as part of an evolving suite of security protections that are part of Comcast Constant Guard. These changes, which have started today in some markets, will be completed within the next sixty days or so. You do not need to take any action and you should not notice any changes to your service, though behind-the-scenes your service wil

Choice? Comcast DNSSEC Beta or ad-enhanced DNS?

[lpq]

So your choice is a Comcraptic DNSSEC testbed, or targeted ads?

While I am forced (alternatives are 5 times slower or 10x as expensive for the same speed) to connect through Comcast, I run my own DNS server -- I wonder how long that will be allowed.

Comcast is so messed up, though the US broadband as a whole is messed up and getting worse...wonder time to live in the US, in it's twilight years...

Re:migrate

[Anonymous Coward]

My other choice being.... dialup.

Comcast sucks, but it is the only choice for many of us. Competition doesn't work if there isn't any.

Re:

[zero_out]

Same here. Well, satellite and 1.5 Mbps DSL, but they might as well be dial-up. Comcast's 22 Mbps is the only reasonable choice, I'm sad to say.

Re:

[commodore64_love]

The US should be breaking-up these monopolies, the same way it broke-up the AT&T monopoly.

Also: 1.5 is it? My DSL goes up to 7.0 guaranteed, although I opted for the cheaper and slower $15 plan.

Re:migrate

[AlamedaStone]

The US should be breaking-up these monopolies, the same way it broke-up the AT&T monopoly.

The US should just nationalize the last mile, treat it as a utility, and avoid all that icky anti-trust litigation.

While I wait for that to happen I'm going to hold my breath until Steve McQueen rides a rainbow-winged pegasus out of my ass.

The reality will probably involve the encroachment of the insurance industry into the ISP realm. You'll need a co-pay to call customer service, and you can only use an ISP from the approved list.

I can't tell whether or not I'm joking.

Re:

[commodore64_love]

>>>The US should just nationalize the last mile, treat it as a utility, and avoid all that icky anti-trust litigation.

It can't.

Antitrust legislation is constitutional (says the supreme court), but nationalization of the lines is not. There are limits to what the US Government can do.

Re:

[Jane Q. Public]

They can't break it up "the same way", because it's not the "same" kind of monopoly. Most people don't understand that Ma Bell was not broken up over their monopoly on wired communications. They were broken up over illegal manipulation of the HARDWARE industry: telephones.

Ma Bell had been enjoined by a Federal court no less than 20 years earlier, that they must not use their monopoly power over the wires to control a monopoly on hardware as well. They ignored this injunction (and got away with it for ~ 2

Clarification

[Jane Q. Public]

I am really not a fan of government regulations. But some things work, and some things are appropriate for a government to do. This qualifies as both.

Re:

[commodore64_love]

>>>Ma Bell was broken up over illegal manipulation of the HARDWARE industry: telephones.

Comcast and other ISPs can be broken-up for the same reason: control of Set Top Boxes/hardware instead of letting customers choose their own equipment. - Also you're wrong to say Ma Bell should have kept its natural monopoly. Now I can choose from literally 50 different companies for long distance, in-state calls, and local service. Instead of paying the outrageous 50 cents/minute Ma Monopoly charged, I can

Re:

[Nadaka]

My other choice at the moment is tethering my phone at around 300 Kbps due to low signal quality. If I had 4g in my area, you bet I would drop cable in a heartbeat.

Re:

[vtcodger]

***Comcast sucks, but it is the only choice for many of us. Competition doesn't work if there isn't any.***

Correct. And even if one has DSL or FIOS, it is probably with a telephone company that is losing customers as they drop landlines and is probably going to provide deteriorating service in the future as they try to maintain the same size network with less revenue.

Ya know, many of us may be pretty much screwed.

Re:migrate

[Anonymous Coward]

If you're stuck with Comcast, there's an "alternative" that's often the best way to go: Comcast Business Internet service. It's run by a separate division of the company from the residential services, one that actually has competition and a decent customer service mindset. The business side also seems to completely avoid stupid stuff like Domain Helper in the first place. For those of you who still use TV or want other Comcast services, note that you can (and want to) mix-and-match Residential and Business services. For example, Residential for TV and Business for Internet -- the business rep who set up my account actually called this out and recommended it to avoid unnecessary restrictions on TV use applied to business accounts (e.g. no DVRs, etc.).

Re:

[Anonymous Coward]

http://consumerist.com/2010/09/comcast-wont-give-me-tv-service-because-im-a-home-business-customer.html [consumerist.com]

"Comcast won't give me TV service because I'm a home business customer"

Re:

[beadfulthings]

I signed up for something they call the "home business triple play" that provides business Internet and phone service with residential TV. The service is basically a hundred bucks a month plus an extra five for a toll-free number and some additional charges for HBO and a second TV hookup. We're still saving a lot over our previous Comcast TV and Internet plus Vonage phone.

The downside is that I've been trying since June to opt out of their Domain Helper, which mysteriously re-appeared along with the new bus

Re:migrate

[AstynaxX]

I opted out of Domain Helper by using manually configured DNS servers, OpenDNS at the moment. It seems if you manually migrate to their DNSSEC servers, Domain Helper goes away, as according to the FAQs the two are incompatible.

Re:

[tobiasly]

It seems if you manually migrate to their DNSSEC servers, Domain Helper goes away, as according to the FAQs the two are incompatible.

Wait, you mean to say that DNSSEC prevents man-in-the-middle servers from intercepting and modifying the traffic? Sounds like a pretty big flaw in this new "standard", they obviously weren't thinking of long-term monetization opportunities...

Re:migrate

[icebike]

Opting out of domain helper is as simple as changing your DNS servers in your router. Mine point to a OpenDNS (paid), and allow me to block a lot of advertising popups and under-lines.

Google also supplies free DNS servers (8.8.8.8 ).

To do this, I just bridged my router (The comcast business service box), they even told me how to do this. Then I use my own linux box to handle routing. But you can also set up your own dns sources using their box if you want.

The Business services bunch are a whole lot easier to deal with than the home services people.

Re:

[beadfulthings]

If I had mod points, I'd mod up both replies out of gratitude. Two very do-able suggestions. I hadn't realized I could do anything with their business box, and apparently I didn't catch their tech support on one of their better days. (Was told by one guy that they didn't support Macs, while another swore that I had the Mac plugged into the phone box.) Now I know what questions to ask.

Re:migrate

[Anonymous Coward]

Which is false. Im posting AC because I work in "Business Services" at comcast..

I don't know about this specific case but I do run in to this with "home office" accounts alot.

My bet his he wanted Business class internet and "Residential TV" at "Residential TV" costs.

The difference between Res and Biz TV? Well here in Connecticut mainly the COST.
It doesn't matter if its a night club or a guy running a WebDev company our of his attic...its a commercial account.
Biz class tv costs ALOT more then normal TV.
Biz class tv has all sorts of crazy rules and extra fee's to the content providers.
We can not offer VOD/"Pay Per-View" because the content providers are worried you will order it at your BAR and show everyone there for free...or charge at the door.
We can not offer DVR service because the content providers don't want you skipping all the commercials in your packed restaurant.
We can not offer Adult Content (PlayBoy/Spice/etc) to places of business because of the agreements we have with the city. (think of the children!)
on and on..

My bet is the guy in that linked story did not want to pay all this extra money for "less" TV.
The work around is simple: You get 2 account numbers,2 drops, and 2 bills. One is the biz-class internet which your company pays for and the other is your home TV.
Makes doing the taxes simple and if your company is paying you to telecommute you just hand them the whole Biz internet bill.

From what I can tell comcast doesn't care all that much about pushing Biz Class TV(at least in this state) because its to much of a PITA with the regs/fee's and in the end we don't make all that much on it.Not being able to put "upsells" on it like DVR/VOD hurts. The only thing its really good for is keeping ATT/DISH/etc OUT of your company and getting us in the door with the internet/phone.

Re:

[icebike]

You are exactly correct, the two-bill setup is what I have and it works fine.

Business internet, and Residential TV+Phone. Since its a home office setup, I have no paying customers viewing my TV so there is no licensing conflict.

Its actually all on a single drop, split at the demarc before it hits any comcast box.

My static IP allows me to open a couple ports for my clients without comcast security getting all over my case.

Re:

[bastion_xx]

Do it the other way around, that's what we've done for our employees. First they order Comcast cable only (any package) if they so desire. Some are on satellite and have opted not to do that. Then you order Comcast Business and tie it to your company but the service address is the employee's house. They are more than happy to do that and the few times we've called them to resolve issues that required a truck roll, the tech wasn't a contractor but an actual Comcast employee who knows the the business service

Re:

[Omniscientist]

This is true; it is difficult to get TV service if you subscribe to Comcast Business.

As far as I'm concerned, high quality Internet service trumps TV any day. I get great download/upload speeds (not sure what residential is at, but it is fine for my purposes), great 24 hour customer/technical support that knows wtf they're talking about (Me: "Hey, can you set up reverse DNS for me?" Them: "Sure!"), two or more static IP's, consistent monthly prices that don't go up, etc.

I'll never buy TV service again, ever

Re:migrate

[rwyoder]

If you're stuck with Comcast...

"Stuck with Comcast"??? From my perspective as a network engineer, Comcast is taking the lead in deploying IPv6, and now DNSSec. They are putting the rest of the corporate world to shame on these fronts. (And I am neither an employee, nor a customer of Comcast.)

Re:migrate

[Fallon]

I don't understand all the hate for Comcast, at least here in Colorado Springs. In the past year and a half I've had service with them I've had less than a couple of hours of downtime (at least that was their fault and not me fiddling with my router). Good bandwidth & pings, who could as for more. It really blew me away after spending the past decade on military bases in the middle of nowhere overseas or downrange (1 second+ ping times, 10-30% packet loss, modem class bandwidth).

Re:

[ZorinLynx]

Location location location.

If you're in an area with a simple or recently updated cable plant, where there's less customers on each node, you will have absolutely excellent performance, like myself.

If you're in an area with 20 year old cable plant that has corroded/loose fittings, bad or marginal amplifiers and other equipment that hasn't received enough love lately, it will be comparable to the sort of Internet access you would receive in hell. Dropped packets, modem resyncing, and so on.

Also, another cust

Re:

[commodore64_love]

>>>another customer on the same node with bad equipment spewing noise into the upstream channel can also knock you offline

I'm glad I don't have to share the line on my DSL.

Re:

[tepples]

I'm glad I don't have to share the line on my DSL.

But how much did it cost to move into range?

Re:

[theaveng]

Nothing cause I didn't move. DSL came to me when the telco ran fiber to the neighborhood, attached it to existing telephone wires, and then mailed-out letters to everyone asking them to join DSL.

Probably the same is true for c64_love

Re:

[vtcodger]

***DSL is shared, one hop further up the line than the cable customer.***

Sure, but hopefully it's a more balanced load because it is the average load from a much larger number of customers.

Re:

[rjstanford]

The internet is shared.

If it wasn't shared, it wouldn't work.

Re:

[dch24]

I can't fill you in on all the shenanigans that Comcast has been up to. Not enough time, and tl;dr.

Still, I am one of those people who will never buy Comcast. I won't move into a neighborhood where they have a monopoly. Take that, real estate prices!

Re:

[Anonymous Coward]

Yeah, I'll just migrate off Comcast over to that other cable company that offers service right alongside the existing monopoly.

Re:

[gad_zuki!]

>You really should be migrating off of Comcast

So the local telco monopoly is somehow better than the local cable monpoly? Err, seriously? I have dozens of AT&T horror stories and only a couple Comcast ones. Just getting AT&T installed anywhere is this Kafkaesque experience of dealing with multiple departments, multiple liars, multiple lazy no shows, etc who when instructed basic things "This is a new condo, thus you'll need to do more than just terminate at the demarc outside" they just pass the

Re:

[modmans2ndcoming]

shoot... Comcast doesn't even nickel and dime you on their products either. I did an analysis of Comcast and WOW for my service level, ignoring the Fancast goodness, I get way less with WOW than I do with Comcast for the money I spend.

Wow puts their hand out for every freaking little thing... HD channels, they cost 2 bucks more for a DVD, they charge 2 bucks more for a cable card, they actually charge for the tv listings, etc. yeah... Comcast might be doing the same thing but if they are they are hiding it

Re:

[Darth_brooks]

Exact opposite here. Comcast is shit. Utter shit. Phone-net-TV bundle was going down several times per month. Make a server call, tech finds a lousy return signal, corrects, rinse wash repeat. I went to U-verse and my connection's been solid. Not mind blowing, but nothing yet that a reboot of the afflicted box can't fix.

In an ideal world there'd be multiple companies offering me DSL and Cable over the same shitty infrastructure, and one of those companies might actually get motivated to *improve* the infras

Re:

[adolf]

It clearly depends on where you are at.

I've had really good luck with AT&T. My U-Verse line is over 3,000 feet long, which is technically out-of-spec. It took a long, long time to get it to work correctly. This isn't so much AT&T's fault, as it is just a coincidence between the location of my house, the location of the VRAD, and the route of the overhead of the wires, none of which anyone (including me) were inclined to move. It was a weird problem: It'd work just fine, until evening came and t

OR.. at least migrate off Domain Helper, here:

[odd42]

http://dns-opt-out.comcast.net/help-index.php [comcast.net]

Re:

[afidel]

OpensDNS has the same flaws as Comcast's Domain Helper service (ie does not return NXDOMAIN), GoogleDNS has some issues I can't remember and for us has pretty significant latency.

Re:

[ctg1701]

OpensDNS has the same flaws as Comcast's Domain Helper service (ie does not return NXDOMAIN), GoogleDNS has some issues I can't remember and for us has pretty significant latency.

Currently neither support DNSSEC validation and with us enabling DNSSEC on our recursive resolvers, we are disabling Domain Helper. Please check out http://www.dnssec.comcast.net/faq.htm for more details.

Thanks

Chris
Comcast

Re:

[afidel]

Good to hear, always glad to hear that the Internet is getting a little less broken. Btw do these recursive resolvers support IPv6 yet?

Re:

[icebraining]

GoogleDNS with local cache works pretty well for me.

Re:

[icebraining]

GoogleDNS doesn't share info with other Google systems.

Is any of the information collected stored with my Google account?
No.
Does Google share the information it collects from the Google Public DNS service with anyone else?
No.
Is information about my queries to Google Public DNS shared with other Google properties, such as Search, Gmail, ads networks, etc.?
No.

Re:

[icebraining]

Their other privacy policies are very clear about all the data they record. Why would they lie in this particular case? It's not like people wouldn't use it, when everyone and their mother uses the search engine despite clearly stating they record everything.

Obviously I can never be sure, but the Occam's razor applies here, in my opinion.

Their moto is something like "Don't be evil." It makes me wonder if being evil is something they struggle with.

It's not official, it's only an item in their corporate philo

Re:a bit confused

[afidel]

No, Comcast is going to offer DNS servers that properly handle DNSSEC including passing along signed root answers. It is up to the client whether they wish to accept or reject unsigned domains (or in the case of anti-spam appliances probably give additional weight to non-signed domains).

Re:

[ctg1701]

What does this mean for webmasters? Are all of us going to need DNSSEC keys on our websites or does this just apply to comcast's array of websites? I wasn't aware that DNS had any kind of security issue which would warrant a revamp. How will this affect the future of the web?

This has little to do with websites and more to do with the zones in the DNS for the websites. This adds an additional layer to protect the DNS from attacks. I suggest if you want more information, please read the following: http://www.dnssec.comcast.net/faq.htm

Thanks

Chris
Comcast

Re:

[QuoteMstr]

My favorite resolver is 127.0.0.1. Running your own recursive DNS server is easy.

Re:

[Maxo-Texas]

Glad to see a nice calm response. Don't respond to trolls.

Understand comcast has some issues of behavior that users don't like and leave that for another day.

Re:

[AltairDusk]

I actually switched back to OpenDNS from Google DNS, the latency was worse with Google. I don't see anything malicious about referring to Google as third party either. Under the common usage of the terms your ISP is first party, someone affiliated with the ISP but not the ISP would be second party and anyone else is third party. First world/Second world/Third world country have a completely different meaning.