Deploy360 10 January 2012

Comcast Gives 17.8M Customers Access to DNSSEC-validating DNS Servers

By Dan YorkDirector, Internet Technology

ComcastlogoIn a rather huge step for DNSSEC deployment, Comcast, the largest Internet Service Provider (ISP) in the United States, announced that they have completed the deployment of DNSSEC and have given their 17.8 million customers access to DNSSEC-validating DNS servers. Their post states in part:

As of today, over 17.8M residential customers of our Xfinity Internet service are using DNSSEC-validating DNS servers. In addition, all of the domain names owned by Comcast, numbering over 5,000, have been cryptographically signed. All of our servers, both the ones that customers use and the ones authoritative for our domain names, also fully support IPv6.

This is a huge step because it removes what seems to me to be one of the largest barriers to getting more widespread usage of DNSSEC – the lack of access to local DNSSEC-validating DNS resolvers. As Comcast explains in their post about the role of an ISP:

The first role is perhaps the most critical, which is validating DNSSEC as part of the DNS lookups performed for our customers. These lookups occur when a customer tries to access a site, such as Then, when a customer tries to connect to that website, a Comcast DNS server checks that domain name, and verifies that signature to ensure that it is valid and has not been tampered with by hackers or other criminals.

As I have been developing content for the Deploy360 site related to DNSSEC, such as my recent instructions on how to add DNSSEC lookups to Firefox, the stumbling block seems to be whether or not your local computer can get back the DNSSEC information that it needs to perform actions such as displaying an icon or warning.

Given that customers typically are using the DNS servers at their ISP, if that ISP doesn’t support DNSSEC, the customers are out of luck. Either they have to point their system to other DNS servers, install their own local DNSSEC-resolving server (such as DNSSEC-Trigger), or use a plugin like the one I reviewed for Firefox that uses its own DNS servers.

Now, with this one move, Comcast has opened up the world of DNSSEC to 17.8 million people! The DNS server info they get from their ISP (Comcast) will work with DNSSEC.

Nothing more for them to do!

Welllllll… those Comcast customers need to have applications that understand DNSSEC and can present DNSSEC warnings (a topic recently discussed here), but those apps will come over time. At least now those apps can be deployed to Comcast customers!

Kudos to the Comcast team who has been working on this project for some time now!

And who will be the next large ISP to roll out DNSSEC-validating DNS servers to all of their customers?

P.S. Comcast also greatly helped the deployment of DNSSEC themselves by signing all 5,000 of their domains! Another awesome move to help the momentum behind DNSSEC.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...