Skip Links

Comcast launches first public U.S. trial of advanced DNS security

ISP's commitment to DNSSEC resolution services seen as advancing adoption

By , Network World
February 23, 2010 11:34 AM ET

Network World - Comcast unveiled on Tuesday an aggressive plan to deploy new DNS security mechanisms that are designed to protect Web site operators and consumers from a specific type of hacking attack that involves hijacking Web traffic and redirecting it to bogus sites.

In a blog post, Comcast said it has deployed DNS Security Extensions -- dubbed DNSSEC -- throughout its nationwide network and will immediately make validating servers available to any of its customers that want to experiment with this emerging security technique.

VeriSign to support DNS security in 2011

In addition to this public trial of DNSSEC validation services, Comcast says it will digitally sign all of its own domain names -- more than 5,000 in total -- using DNSSEC by the first quarter of 2011.

By the end of 2011, Comcast says it will have production-quality DNSSEC resolution services available to all of its business and residential customers.

"There is often talk about a chicken-and-egg sort of problem with DNSSEC. People don't want to sign their own domains with DNSSEC until people are validating signatures," says Jason Livingood, Executive Director of Internet Systems Engineering at Comcast. "We want to explain how we as an ISP have a road map for validating signatures with DNSSEC."

DNSSEC is an Internet standard that prevents spoofing attacks by allowing Web sites to authenticate their domain names and corresponding IP addresses using digital signatures and public-key encryption. When DNSSEC is fully deployed, Internet users will be able to verify that the Web sites they visit are digitally signed.

Comcast is believed to be the first U.S. carrier to announce plans to support resolution of DNSSEC queries for its customers as well as to sign its own domain names using DNSSEC.

"There are no large U.S. ISPs that have been publicly resolving and signing using DNSSEC in a large trial. But there are lots of people doing small little tests of DNSSEC," says Paul Hoffman, Director of the VPN Consortium and an active participant in DNSSEC standards development work by the Internet Engineering Task Force.

Hoffman says until now no U.S. carrier has committed to DNSSEC resolution, which could be a stumbling block to DNSSEC deployment.

"Many people have been worried that there would be a lot of people signing their domain names, and no one checking for the resolution," Hoffman says. "A major ISP doing both halves of the equation with DNSSEC is a big deal."

DNSSEC is a hierarchical system, and it requires authentication at every step in the process of matching a domain name with the corresponding IP address. In order for a user to receive an authenticated response from a popular Web site such as, DNSSEC needs to be deployed on the Internet's root servers, the .com domain servers operated by VeriSign, and the DNS servers operated by Amazon or its Web-hosting company. Consumers who visit Amazon's Web site also need their ISPs to validate the digital signature they receive.

DNSSEC is in the process of being deployed across the Internet's infrastructure. The DNS root servers will be signed in July, and VeriSign has committed to supporting DNSSEC on the .com and .net servers by early 2011. The U.S. federal government is deploying DNSSEC across the .gov domain, and the Public Interest Registry is supporting DNSSEC in .org.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News