DNSSEC FAQs, Comcast getting ready for the future Internet


DNSSEC FAQs

Visualization of the various routes through a ...

Image via Wikipedia

In 2010 and 2011, we are conducting a DNSSEC technical trials in our production network in order to prepare for the full scale deployment of DNSSEC (which began in October 2010). All Comcast customers will eventually be automatically migrated to our DNSSEC validating servers. If you don’t want to wait, you can immediately start using DNSSEC by manually configuring your DNS servers to point to the IP addresses 75.75.75.75 and 75.75.76.76. Check out this video to learn more.

  1. What is this?
  2. What is the new timeline?
  3. What is DNSSEC?
  4. How can customers opt-in to DNSSEC before they are migrated automatically?
  5. How long will the trial last?
  6. Are customers who have manually configured their DNS IP addresses to point to Comcast’s current DNS servers opted-in?
  7. Are customers who have opted in to or out of Comcast Domain Helper impacted by this?
  8. What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC?
  9. What are the key questions you are trying to answer during the trial?
  10. What happens if I try to access a website that fails DNSSEC validation?
  11. Will client software like a web browser indicate if DNSSEC is in use?
  12. What messages will the Firefox DNSSEC Validator show?
  13. How can I validate whether or not I am using the DNSSEC servers?
  14. How far have you progressed in the migration?

What is this?

  • On February 23, 2010 we announced our plans to implement security validation in the DNS servers that our customers use, as well as for signing authoritative domains such as comcast.com and comcast.net. This will add security to the DNS infrastructure that our customers use to surf the web as well as help provide secure DNS records for our Internet-facing web properties.
  • This February 2010 announcement outlined an initial opt-in DNSSEC trial, as well as our plans to sign our own domains, and when DNSSEC will be available for all customers to use.
  • This was the first large-scale national DNSSEC customer trial in the US, which began on February 23, 2010, on an opt-in basis.
  • Comcast’s February 2010 commitment to fully implementing DNSSEC on our network, which has now been updated here, was initially:
    • For all of our own domain names by by the end of the first quarter of 2011.
    • For all customers using our High Speed Internet service by the end of 2011.
      View on tier 1 and 2 ISP interconnections

      Image via Wikipedia

What is the new timeline?

  • On October 18, 2010, we announced an updated timeline, and the start of the rollout of DNSSEC to our customers.
  • Our October 18, 2010 commitment to fully implementing DNSSEC on our network is:
    • For all of our own domain names by by the end of the first quarter of 2011, completing roughly when the .COM Top Level Domain (TLD) is signed.
    • For all customers using our High Speed Internet service, customers will begin to migrate on October 18, 2010, and will complete migrating by approximately March 31, 2011.

What is DNSSEC?

Graphic displaying various type of internect c...

Image via Wikipedia

  • DNSSEC is an enhanced level of Internet security that allows Websites and ISPs to validate domain names to ensure they are correct and not tampered with. This prevents hackers from injecting false information (aka DNS cache ‘poisoning’), to attempt to re-direct people trying to access a real website to a fake, phishing or criminal site.
  • An informative video can be found here.

How can customers opt-in to DNSSEC before they are migrated automatically?

  • All Comcast customers can use the new DNS servers now.
  • Customers should visit http://www.dnssec.comcast.net for general information about DNSSEC.
  • The DNS IP Addresses for DNSSEC Deployment are 75.75.75.75 and 75.75.76.76.
  • Additional information about our DNS servers can be found at http://dns.comcast.net.

How long will the trial last?

  • We will run this trial until early 2011, as we migrate all customers to the new DNSSEC servers using DHCP updates (Comcast customers are automatically assigned their DNS server IPs via their DHCP lease).

Are customers who have manually configured their DNS IP addresses to point to Comcast’s current DNS servers opted-in?

  • Not initially. Our existing DNS servers will not perform secure DNS validation during this trial period, and you must manually opt-in to the secure validating DNS.
  • Eventually, however, all servers will be upgraded to support DNSSEC.

Are customers who have opted in to or out of Comcast Domain Helper impacted by this?

  • When DNSSEC is deployed on all of our DNS servers, the web error redirect function at the core of Comcast Domain Helper will be disabled, as this is not technically compatible with DNSSEC.
  • Customers that have opted out of Domain Helper will be the first customers that we migrate to the new DNSSEC servers. Domain Helper will not be active.
  • Comcast does plan to turn off Domain Helper when DNSSEC is fully implemented.
    DNS iterations

    Image via Wikipedia

What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC?

  • We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.
  • Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented.
  • The production network DNSSEC servers do not have Comcast Domain Helper’s DNS redirect functionality enabled.
  • We recently updated our IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, to reflect this.

What are the key questions you are trying to answer during the trial?

  • We are trialing DNSSEC to see how it scales on production DNS servers under load, preparing our production network for DNSSEC and any associated processes needed to troubleshoot any potential DNSSEC-related technical errors which may occur.
  • By signing our production zones like Comcast.com, we are looking to secure the data in the DNS and provide a more secure DNS experience.
  • We are looking to see how functional signing of our zones will work in real world scenarios, in a production environment.
  • We have been sharing what we learn with the Internet community, particularly with the IETF, the DNSSEC Deployment Initiative, the DNS Operations Analysis and Research Center,and other groups, for the benefit of all Internet users.
    The hierarchical domain name system, organized...

    Image via Wikipedia

What happens if I try to access a website that fails DNSSEC validation?

  • The DNS will will send a “SERVFAIL” response to your computer.
  • Then, your web browser will display a “Server Not Found” error.
  • If your client has a DNSSEC indicator, though, it may look different. See this FAQ for more details.
  • An example of what such an error will look like can be found below (see larger version):

Will client software like a web browser indicate if DNSSEC is in use?

  • There are few end user clients that will show you when DNSSEC is being used by a domain, but we expect that to change as more of our customers and the customers of other large ISPs move to DNSSEC.
  • This low level of client-based DNSSEC user interface indication is one of the reasons that, on October 13, 2010, we announced that we donated funds to the NLnet Foundation’s DNS Security Fund, which can provide development funding for open source developers.
  • If you are a Firefox browser user, we can recommend the DNSSEC Validator add-in, developed by CZ.NIC Labs, and which is available here.
  • To see what that add-in looks like, see this FAQ.

What messages will the Firefox DNSSEC Validator show?

  • As noted above, the DNSSEC Validator add-in, available here does display a visual indicator of DNSSEC status.
  • Here is an example of what a domain secured with DNSSEC looks like, with the indication expanded:
  • Here is an example of what a DNSSEC failure looks like, with the indication expanded:

How can I validate whether or not I am using the DNSSEC servers?

  • Try to access this website: http://www.dnssec-failed.org/
  • If you can access the site and get a valid web page, then you ARE NOT using a DNSSEC-validating DNS server.
  • If you get a “Server Not Found” error as shown above, then you ARE using a DNSSEC-validating DNS server.

How far have you progressed in the migration?


  • To see this charted over time, check out this page.

DNSSEC FAQs.

Dns-wikipedia

Image via Wikipedia

Enhanced by Zemanta
Tagged on:

Leave a Reply