Donate
‹ Back
Domain Name System Security Extensions (DNSSEC) 12 June 2014

Case Study: Comcast’s DNSSEC Implementation

comcast_logo_200

Comcast, one of the largest Internet Service Providers (ISPs) in North America, started their Domain Name System Security Extensions(DNSSEC) deployment in 2008 and completed it in January of 2012. All of Comcast’s 18 million residential customers now use DNSSEC-validating DNS servers by default.  Additionally Comcast signed all of their own 6,000 domain names with DNSSEC.

The greatest challenge Comcast faced with their DNSSEC rollout was regarding customer education. Customers want to reach web sites – they don’t care if a site is unreachable because it failed validation procedures, regardless of whether the cause is due to error or malicious behavior. To help improve customer communication, Comcast used their DNS information site to communicate current DNSSEC issues to its customers. They also employed “Negative Trust Anchors” to temporarily skip sites with broken DNSSEC configurations.

To learn more about how Comcast deployed DNSSEC, including the issues they faced and their solutions, check out the presentation / case study from Chris Griffiths of Comcast at ICANN 45’s DNSSEC workshop.

When you’re finished check out some of our other DNSSEC resources or visit our “Start Here” pages to find DNSSEC-related information focused on your type of organization.

‹ Back

Related articles

State of DNSSEC Deployment 2016
State of DNSSEC Deployment 2016
Domain Name System (DNS)31 December 2016

State of DNSSEC Deployment 2016

This report provides a snapshot of the state of deployment of DNSSEC as of the end of 2016. Please download the...

DNSSEC
Building Trust1 October 2017

DNSSEC

The Domain Name System (DNS), the Internet’s addressing system, is the most critical component of the Internet infrastructure. As with...

Google Public DNS - DNSSEC Validation
Deploy36019 March 2013

Google Public DNS – DNSSEC Validation

Google provides DNSSEC validation through the use of their "Google Public DNS" servers.  If your local DNS resolvers do not...

Join the conversation with Internet Society members around the world