Comcast, one of the largest Internet Service Providers (ISPs) in North America, started their Domain Name System Security Extensions(DNSSEC) deployment in 2008 and completed it in January of 2012. All of Comcast’s 18 million residential customers now use DNSSEC-validating DNS servers by default. Additionally Comcast signed all of their own 6,000 domain names with DNSSEC.
The greatest challenge Comcast faced with their DNSSEC rollout was regarding customer education. Customers want to reach web sites – they don’t care if a site is unreachable because it failed validation procedures, regardless of whether the cause is due to error or malicious behavior. To help improve customer communication, Comcast used their DNS information site to communicate current DNSSEC issues to its customers. They also employed “Negative Trust Anchors” to temporarily skip sites with broken DNSSEC configurations.
To learn more about how Comcast deployed DNSSEC, including the issues they faced and their solutions, check out the presentation / case study from Chris Griffiths of Comcast at ICANN 45’s DNSSEC workshop.
When you’re finished check out some of our other DNSSEC resources or visit our “Start Here” pages to find DNSSEC-related information focused on your type of organization.