Comcast Expands DNSSEC Trial, Announces Implementation Plans

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: Jason Livingood <jason_livingood () cable comcast com>
> Date: February 23, 2010 11:21:42 AM EST
> To: Dave Farber <dave () farber net>
> Subject: Comcast Expands DNSSEC Trial, Announces Implementation Plans

> Dave – For IP if you wish:
>
> We just added a new post to our blog (http://blog.comcast.com/2010/02/dnssec.html 
> ) that summarizes our plan to implement DNSSEC validation in the DNS  
> servers that our customers use, as well as for the signing of  
> authoritative domains such as comcast.com.  We are also announcing  
> an expansion of our DNSSEC trial.
>
> First, we plan to sign the domain names we manage, such as  
> xfinity.com, by the end of the first quarter of 2011, if not  
> sooner.  While we are already signing several domains today on a  
> trial basis, such as comcast.org, this is our goal for signing the  
> full range of domains that we own (there are thousands).
>
> Second, by the end of 2011, if not sooner, we plan to implement  
> DNSSEC validation in all of the recursive DNS servers (a.k.a.  
> caching servers) that our customers use every day. Customers will  
> not need to make any changes to their configurations in order to  
> take advantage of that; this will automatically occur via DHCP lease  
> updates at that time.
>
> Third, Comcast customers who would like to start using a DNSSEC- 
> validating DNS server today, can immediately do so on an opt-in  
> basis as the next step in our DNSSEC technical trials.  Details are  
> at http://www.dnssec.comcast.net.  The servers supporting this are  
> operating in our production network, not a trial network, and are  
> deployed nationally in the same locations as our other DNS servers  
> that customers use everyday.
>
> We hope that by announcing our DNSSEC plans, and immediately making  
> available our Anycast-based DNSSEC-validating servers, we will  
> catalyze other stakeholders to really focus on DNSSEC, and do their  
> share to ensure we collectively have a secure foundation for the  
> Internet.  Just as with IPv6, it's time for organizations to get  
> serious about DNSSEC and today we take another step in doing our  
> share to move the Internet community ahead.
>
> Finally, I'd like to anticipate one question some readers of IP  
> might ask, which is how we reconcile the use of DNS redirect as used  
> in Comcast Domain Helper (and as described in http://tools.ietf.org/html/draft-livingood-dns-redirect 
> ), with our plan to implement DNSSEC.  The answer is that we believe  
> that DNSSEC is basically incompatible with current DNS redirect  
> technology.  We have always known this and we expect that one result  
> of turning on DNSSEC validation will be that Domain Helper's DNS  
> redirect functionality will need to be disabled, absent any  
> additional IETF standards work or other technology advances (and  
> we're not aware of any work on either of these fronts).  I  
> anticipate updating our IETF draft on this subject soon, but  
> probably will not have time to do so until after IETF 77, which  
> takes place in late March.
>
> For more information on the DNSSEC deployment at Comcast, please  
> check out http://www.dnssec.comcast.net.
>
> Regards,
>
> Jason Livingood
> Internet Systems Engineering
> Comcast



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com