I have been experiencing problems accessing web sites from home. My ISP is Comcast. I have discovered the problem. Comcast has recently implemented DNSSEC – Domain Name System Security Extensions. DNSSEC validates web site domain name settings with a fine tooth comb. In many cases this fine tooth comb is filtering out sites which you would think should be a-ok. Sites like portal.microsoftonline.com (the Microsoft Exchange Online web site or www.mass.gov (the State of Massachusetts web site).
It all has to do with DNS Servers. A DNS Server is like a phone book that gives you the number associated to the name. If you can’t associate the name (URL) to the IP address (Phone Number), it can’t make the call.
In researching the problem, I discovered that DNS could not resolve these URL’s. That means that when the computer looks up the URL in the DNS Servers to get the associated IP address to call the web page, it can’t find the IP. It can’t find the IP because access has been denied by Comcast’s DNS servers. It has been denied because Comcast now uses DNSSEC to validate URL’s – theoretically for improved security.
The problem is that many web sites do not yet comply with DNSSEC validation rules.
If you are experiencing issues accessing certain web pages, check out the site using this tool: http://dnssec-debugger.verisignlabs.com/ and enter the web site in question. If you see all green lights, the site is ok, if you see red lights, the site may not be in compliance with DNSSEC validation rules.
Feel free to call Comcast, but get yourself to a supervisor quickly, the underlings, as nice as they are, don’t have a clue.