Domain Name System Security Extensions (DNSSEC) 12 June 2014

Case Study: Comcast’s DNSSEC Implementation


Comcast, one of the largest Internet Service Providers (ISPs) in North America, started their Domain Name System Security Extensions(DNSSEC) deployment in 2008 and completed it in January of 2012. All of Comcast’s 18 million residential customers now use DNSSEC-validating DNS servers by default.  Additionally Comcast signed all of their own 6,000 domain names with DNSSEC.

The greatest challenge Comcast faced with their DNSSEC rollout was regarding customer education. Customers want to reach web sites – they don’t care if a site is unreachable because it failed validation procedures, regardless of whether the cause is due to error or malicious behavior. To help improve customer communication, Comcast used their DNS information site to communicate current DNSSEC issues to its customers. They also employed “Negative Trust Anchors” to temporarily skip sites with broken DNSSEC configurations.

To learn more about how Comcast deployed DNSSEC, including the issues they faced and their solutions, check out the presentation / case study from Chris Griffiths of Comcast at ICANN 45’s DNSSEC workshop.

When you’re finished check out some of our other DNSSEC resources or visit our “Start Here” pages to find DNSSEC-related information focused on your type of organization.

Related articles

Building Trust 1 October 2017


The Domain Name System (DNS), the Internet’s addressing system, is the most critical component of the Internet infrastructure. As...

Deploy360 3 April 2017

Introduction to PKIs & CAs

In order to be trusted, the Internet must provide channels for secure and private communication between entities, which can...

Domain Name System (DNS) 31 December 2016

State of DNSSEC Deployment 2016

This report provides a snapshot of the state of deployment of DNSSEC as of the end of 2016. Please download...