Education and Help

Helpful Links

• Constant Guard™ Overview
• Comcast's DNS Operations Site
• Comcast's IPv6 Informations Center
• Comcast's Network Management Page

Diagnostic Tools

• DNSViz
• DNSSEC Debugger

Tutorials

• Internet Society: DNSSEC Background
• NTIA DNSSEC Overview and Documents

Open Source & Research Support

• Open Source: Internet Systems Consortium
• Open Source: NLnet Labs
• Research: DNS Operations, Analysis, and Research Center

Related Information

• DNSSEC Deployment Initiative
• DNSSEC Industry Coalition
• DNSSEC Tools
• Even More DNSSEC Info
• Letter to NTIA regarding DNSSEC
• Information about DNSSEC for the Root Zone
• Comcast: Test If You Are Using DNSSEC
• DNSSEC Or Not: Test If You Are Using DNSSEC

Frequently Asked Questions

1. What is DNSSEC?
2. What happened to Comcast Domain Helper when you fully implemented DNSSEC?
3. What happens if I try to access a website that fails DNSSEC validation?
4. Will client software like a web browser indicate if DNSSEC is in use?
5. What messages will the Firefox DNSSEC Validator show?
6. How can I validate whether or not I am using the DNSSEC servers?
7. I think a website failed to validate. How can I tell for sure?
8. When did Comcast implement DNSSEC?
9. How do I manually configure my DNS servers?

What is DNSSEC?

• DNSSEC is an enhanced level of Internet security that allows Websites and ISPs to validate domain names to ensure they are correct and not tampered with. This prevents hackers from injecting false information (aka DNS cache "poisoning"), to attempt to re-direct people trying to access a real website to a fake, phishing or criminal site.
• Check out this short video for more details
  

What happened to Comcast Domain Helper, which offered DNS redirect services, when you fully implemented DNSSEC?

• The web error redirection function of Comcast Domain Helper was technically incompatible with DNSSEC.
• An old IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, reflected our views on this incompatibility.
• Comcast has always known this and planned to turn off such redirection when DNSSEC was fully implemented, which we did on January 9, 2012.

What happens if I try to access a website that fails DNSSEC validation?

• If using a web browser you will see an error message, such as "Server Not Found." The exact result will vary from browser to browser. See below for an example.
  

Will client software like a web browser indicate if DNSSEC is in use?

• There are few end user clients that will show you when DNSSEC is being used by a domain, but we expect that to change as more of our customers and the customers of other large ISPs move to DNSSEC.
• This low level of client-based DNSSEC user interface indication is one of the reasons that, on October 13, 2010, we announced that we donated funds to the NLnet Foundation's DNS Security Fund, which can provide development funding for open source developers.
• There are DNSSEC Validator extensions for some browsers. For example, here is a Firefox extension, and appears to also be in Google Chrome.

What messages will the Firefox DNSSEC Validator show?

• The DNSSEC Validator add-in for Firefox displays a visual indicator of DNSSEC status.
• Here is an example of a domain secured with DNSSEC
  
• Here is an example of a domain not secured with DNSSEC
  

How can I validate whether or not I am using the DNSSEC servers?

• Try to access this website: http://www.dnssec-failed.org/
  • If you can access the site and get a valid web page, then you ARE NOT using a DNSSEC-validating DNS server.
  • If you get a "Server Not Found" error, then you ARE using a DNSSEC-validating DNS server.
• Another site to try is DNSSEC Or Not

I think a website failed to validate. How can I tell for sure?

• Use a testing tool like Sandia National Lab's DNSViz, at http://dnsviz.net/. For example, here is an example of the validation failure of www.dnssec-failed.org at
  http://dnsviz.net/d/www.dnssec-failed.org/dnssec/.
• Use a testing tool like Verisign Labs' DNSSEC Debugger, at http://dnssec-debugger.verisignlabs.com/. For example, here is an example of the validation failure of www.dnssec-failed.org at
  http://dnssec-debugger.verisignlabs.com/dnssec-failed.org. If a site fails DNSSEC validation, they either have some security problem or have misconfigured their domain.

When did Comcast implement DNSSEC?

[ Click the image above to enlarge ]

How do I manually configure my DNS servers?

If you have manually configured your DNS IP addresses, we recommend you switch back to receiving them via DHCP and then release/renew your DHCP lease. If for some reason you wish to manually configure your DNS servers, you may use the IPv4 addresses 75.75.75.75 and 75.75.76.76, and IPv6 addresses 2001:558:FEED::1 and 2001:558:FEED::2.