Well, no. That's not a good idea. From the resolver's point of view, the domain now looks pretty much exactly as it would if someone were trying to use a stale copy of the data to hijack it and send your requests to a bad place. It is not good to recommend that people switch to a DNS server that ignores such problems -- Google and Comcast are doing exactly the right thing, and what OpenDNS is doing is dangerous.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Well, no. That's not a good idea. From the resolver's point of view, the domain now looks pretty much exactly as it would if someone were trying to use a stale copy of the data to hijack it and send your requests to a bad place. It is not good to recommend that people switch to a DNS server that ignores such problems -- Google and Comcast are doing exactly the right thing, and what OpenDNS is doing is dangerous.
I'm not sure about the DNS problems, but there was a brief power outage at the server. It didn't automatically reboot. We turned it back on manually, and EVTripPlanner should be back now. Tell me if you experience otherwise.
PS- I won't be able to respond to issues very quickly for a while. I'm out of country and often off grid for the next six months.
PS- I won't be able to respond to issues very quickly for a while. I'm out of country and often off grid for the next six months.
SomeJoe7777
Marginally-Known Member
I'm not positive to what degree OpenDNS is ignoring the invalid RRSIG. It's possible that it's not processing or supporting DNSSEC entries at all. It's also possible that it sees that the RRSIG is expired, but the signature is otherwise cryptographically valid, and therefore allowing it.
Either way, OpenDNS's behavior isn't necessarily dangerous. Many DNS resolvers have yet to support DNSSEC, and a signature that is expired but otherwise valid is probably still more secure than an unsigned DNS record.
Moving forward though, I agree that all DNS resolvers should eventually fully support DNSSEC and have a strict interpretation of the signature chain, just like SSL certificates.
SomeJoe7777
Marginally-Known Member
Your site will be unavailable for a large portion of the Internet until the DNS RRSIG records are fixed by either you, your registrar, or your DNS provider.
My understanding of this issue is a little hazy (the local DNSSEC expert at $WORK is on vacation) but just to try to clarify for @EVTripPlanner, fixing the RRSIG records is not necessarily related to whether the server is up or not. Even if the server is up, some people will be able to reach the site (if they're using resolving servers that don't do DNSSEC verification) and some people won't (if their resolvers do check the DNSSEC records, i.e. RRSIG).
Bruce.
In any case, a good proportion of 'your ISP' being down problems for the average user is that their DNS is broken. Changing to an external DNS provider fixes that issue. DNSSEC is not part of the general equation, and I don't know why evtripplanner even uses it, since it's not exactly an extra-secure application. As I mentioned somewhere, if you are going to use things like DNSSEC, you need to be sure that the records (like any other cert) don't expire.
mka
Member
whitex
Well-Known Member
evtripplanner.com is resolving for me now and site is up. I use internal (to my house) DNS servers (running on Windows Server).
Unfortunately, if I try resolving through Google DNS (8.8.8.8) it still fails.
Unfortunately, if I try resolving through Google DNS (8.8.8.8) it still fails.
Last edited:
cpa
Active Member
OK, it is still down for me.
Firefox gives me the generic message about checking to make sure that I typed the address in correctly.
I have no idea what y'all are jibber jabbering about above. Your explanations make zero sense to me.
So, am I locked out?
Firefox gives me the generic message about checking to make sure that I typed the address in correctly.
I have no idea what y'all are jibber jabbering about above. Your explanations make zero sense to me.
So, am I locked out?
whitex
Well-Known Member
Temporary work-around for those who don't want to mess with their DNS settings:
Go to https://47.150.70.100/
But then you have to click through to accept an invalid certificate (since the certificate is for "www.evtripplanner.com" and not "47.150.70.100").
Go to https://47.150.70.100/
But then you have to click through to accept an invalid certificate (since the certificate is for "www.evtripplanner.com" and not "47.150.70.100").
dgpcolorado
high altitude member
Glad I'm not the only one who hasn't a clue what the discussion above is all about!
This worked for me, thanks.
whitex
Well-Known Member
In case you want a simplified explanation, DNS is an internet "phone book" which allows your browser (Firefox, Safari, Chrome, Explorer, etc) to lookup the name "evtripplanner.com" and find it's "internet number" (in this case 47.150.70.100). Currently, there is a problem with the evtripplanner's entry in that phonebook, or at least some copies of it. The workaround I suggested simply skips the lookup step and directs the browser to connect directly to the server's internet number. The workaround however will stop working at some time in the future (could be days, could be years), hence calling it "temporary".
SomeJoe7777
Marginally-Known Member
Reader's Digest version:
- There is a problem with evtripplanner.com that has nothing to do with your computer or device. If your device cannot get to the site, it's not your fault.
- The owners of the evtripplanner.com domain have to fix it.
- The problem doesn't affect everybody, it's dependent on who your Internet Service Provider is.
- If you are affected, there are some work-arounds to still use evtripplanner.com until the owners fix it:
- Use https://47.150.70.100. You will get a warning about an untrusted certificate, this is expected when using this work-around. You will have to click an additional button to bypass this warning.
- Change DNS settings on your computer to 208.67.222.222 and 208.67.220.220. This is a more complicated work-around, but will avoid the untrusted certificate warning.
whitex
Well-Known Member
I would not recommend that to those who don't understand the full implications. This will also be the first thing your internet provider support guys will change back if you ever call them about any troubles.
Recommending that people switch from DNS servers that support DNSSEC to ones that don't is really, really irresponsible.
Last edited:
Thank you Ben. Great product.
I encourage everyone who uses it to donate every so often.
To all of you getting into the details behind servers, re-read ben's note and let's put this to rest (or, by all means start a new thread).
SomeJoe7777
Marginally-Known Member
DNSSEC is not fully supported by many resolvers. There are millions of DNS requests per day that ignore DNSSEC. It will be nice when it is fully implemented, but as of now that's not the reality.
Furthermore, only a small fraction of domains even have DNSSEC records. The vast majority do not. Using a resolver that supports DNSSEC doesn't help you with those domains.
And finally, only if your client (i.e. computer or other device) supports DNSSEC validation do you get end-to-end validated security. If it doesn't (which includes Windows machines and virtually every other device out there), then you have to implicitly trust the upstream resolver (e.g. Google, Comcast, etc.) and the IP transport path between you and them.
Given those facts, switching to use DNS resolvers that may not support DNSSEC is virtually no hit on your security at the present time.
What needs to happen here is that evtripplanner.com's owners need to either fix their DNSSEC records or remove them completely.
Ben's note is welcome, but the problem that is causing many people to be unable to reach evtripplanner.com does not have anything to do with the problem Ben cited. To suggest that we move the actual problem discussion to another thread doesn't make a whole lot of sense to me.
Whitmarsh
Member
I can get to the site and log in and it gets my latest trip but it won't load the Google map.
Last edited:
