Comcast supporting outbound DANE Thumbnail
Deploy360 21 August 2017

Comcast supporting outbound DANE

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

Comcast has announced that it’s piloting outbound DANE with selected domains, as of the end of July 2017.

Back in 2015, they added TLSA records to the ‘’ domain to allow external senders to authenticate the digital certificates presented by its MTAs, and this pilot will allow them to do the same for their traffic destined for other sites. The aim is to gain experience with this, with the plan being to eventually remove all restrictions and attempt DANE authentication for all destination domains.

DANE addresses one of the inherent weaknesses of digital certificates being issued by third-party Certificate Authorities (CAs), by allowing certificates to be cryptographically bound to DNS names. This is achieved by adding TLSA records to a DNSSEC-signed zone in the DNS, thereby allowing hosts to be validated using DNSSEC.

This is significant development from one of the major network operators that should encourage increased deployment of both DANE and DNSSEC.

And if you’re interested in deploying DANE, then you’d be well advised to read our two-part guide on how we did it in the Go6Lab.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...