Comcast supporting outbound DANE Thumbnail
‹ Back
Deploy360 21 August 2017

Comcast supporting outbound DANE

Kevin Meynell
By Kevin MeynellContent and Resource Manager

Comcast has announced that it’s piloting outbound DANE with selected domains, as of the end of July 2017.

Back in 2015, they added TLSA records to the ‘’ domain to allow external senders to authenticate the digital certificates presented by its MTAs, and this pilot will allow them to do the same for their traffic destined for other sites. The aim is to gain experience with this, with the plan being to eventually remove all restrictions and attempt DANE authentication for all destination domains.

DANE addresses one of the inherent weaknesses of digital certificates being issued by third-party Certificate Authorities (CAs), by allowing certificates to be cryptographically bound to DNS names. This is achieved by adding TLSA records to a DNSSEC-signed zone in the DNS, thereby allowing hosts to be validated using DNSSEC.

This is significant development from one of the major network operators that should encourage increased deployment of both DANE and DNSSEC.

And if you’re interested in deploying DANE, then you’d be well advised to read our two-part guide on how we did it in the Go6Lab.

‹ Back

Related articles

OpenSSL 1.1.0 released
Deploy3607 September 2016

OpenSSL 1.1.0 released

Catching up on developments from last week, and it's worth mentioning that version 1.1.0 of OpenSSL has been released. As well...

ION Cape Town: Great DANE
Deploy36010 November 2015

ION Cape Town: Great DANE

This week we're highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was...

Postfix 3.2 released
Deploy3607 April 2017

Postfix 3.2 released

Postfix version 3.2 was released on 28 February 2017 and implements several changes to its DANE functionality in order to...

Join the conversation with Internet Society members around the world