Welcome to Comcast DNS

This site provides you with the Comcast DNS server status, IP addresses, and troubleshooting tools. As part of our ongoing efforts to protect our customers and provide great security features, DNSSEC validation is now included as part of Comcast Constant Guard™ from Xfinity.

Subscribe to feed Viewing entries tagged DNSSEC

DNSSEC Update - .ORG TLD Signed, All Comcast .ORG Domains Signed

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on June 23, 2010
in DNSSEC News

Today in Brussels, the Public Interest Registry, operator of the .ORG Top Level Domain (TLD), announced that they have signed the .ORG TLD, enabling support for DNSSEC in that TLD. Coinciding with that announcement and joint testing we have performed with PIR, Comcast is pleased to sign all of our over 650 .ORG domains. This is an important milestone in our continuing work to deploy DNSSEC. In addition, you can find slides we will be presenting at two ICANN DNSSEC workshops tomorrow here and here.

Tags: DNSSEC

Highlighting An Interesting DNSSEC Test Tool

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on April 27, 2010
in DNSSEC News

DNSSEC validation can be a very difficult to test, in order to validate that it is working. However, with good tools, this becomes a lot easier. We want to highlight one such tool from dnsviz.net. This tool allows an end user as well as a DNS admin to verify the chain of trust in DNSSEC signing of domains. It's especially useful as it validates from the root of the DNS down to a specific domain, showing all security chaining between the layers of the DNS. As an example, you can try one of our signed zones like comcast.org and see what a signed zone should look like (though since the root zone is not yet signed so you will only see the chain of trust from the ORG zone down).

Tags: DNSSEC

UDP Payload Size Issues Being Addressed

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on April 22, 2010
in DNSSEC News

It's been two months since we launched our DNSSEC trial and we have been busy. We're happy to see that some of our customers are giving it a try and reporting issues. One problem we've been working to correct is how the DNS servers handle the amount of data that a signed response creates. This is known as UDP payload size and normal DNS responses are usually limited to 512 bytes. This changes with DNSSEC, where this size can increase to 4000, causing issues with network elements like firewalls and routers.

Use of this larger UDP size is also known as EDNS0. We encountered this issue with some signed zones in the .GOV and .ORG top level domains (TLDs). These TLDs are signed and have allowed some secondary zones to sign and become DNSSEC-aware. When our validating resolvers were trying to cache these DNSSEC-aware zones, the DNS servers attempted to validate the signatures, but due to a limitation on one of our upstream systems that limited the UDP payload size, the response never reached our DNS servers (which can handle the prescribed 4000 payload size). As an interim fix, we have lowered the max UDP payload size, which tells the DNS servers to fall back to TCP as a transport for the DNSSEC responses while we work with the affected vendor to fix this limitation in UDP payload sizing. We are glad to report that the fix is currently in our labs being tested and should be rolled out to our production systems soon. These kind of operational issues are best found in a trial, and this is why we are testing out DNSSEC now, before going live with millions of subscribers.

Tags: DNSSEC

DNSSEC Implementation Plans Announced

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on February 23, 2010
in DNSSEC News

Comcast has been a leader in testing of and advocating for the wide adoption of DNSSEC. Our leadership continues today with the announcement of a plan to implement DNSSEC validation in the DNS servers that our customers use by the end of 2011, as well as for signing of our authoritative domains, such as comcast.com, by the end of the first quarter of 2011. In addition, today we are making available DNSSEC-validating DNS servers for customers to use on a trial basis now. You can learn more about this in our DNSSEC trial FAQs.

Tags: DNSSEC

IANA ITAR Anchors Added

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on August 11, 2009
in DNSSEC News

We have deployed the IANA ITAR anchors to the Nominum Vantio and NLnet Labs Unbound resolvers. We are still working on the configuration for ISC BIND 9.6. We have also signed mycomcast.org and comcastbusiness.org and are working to have the DS records inserted in the ORG registry for additional testing. Once this has been completed, we will be able to validate these zones using the ITAR repository and DLV registry without having to have a trust anchor key on our resolvers for these zones.

Tags: DNSSEC

DNSSEC Trial Update

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on July 27, 2009
in DNSSEC News

It has been awhile since we updated this page and there are some major updates on the DNSSEC front and regarding our testbed that we wanted to update you on. IANA has launched the Interim Trust Anchor Repository (ITAR) and we are in process of upgrading our test resolvers to use this system to load the keys in their repository. We will post when this process is completed, and which resolvers are using ITAR will be posted below.

Tags: DNSSEC

Additional DNSSEC Resolver Added to Trial

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on November 18, 2008
in DNSSEC News

A new link has been added to list all keys that are loaded on the recursive resolvers. We will update this list as more keys are made available. We are also upgrading the Unbound server to the latest 1.1.0 release which supports DLV.

Tags: DNSSEC

Third DNSSEC Resolver Added to Trial

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on November 17, 2008
in DNSSEC News

We have added a third resolver to test against running a different DNS application server. We have also updated the descriptions on each server to identify what DNS application server each server is running.

Tags: DNSSEC

Second DNSSEC Resolver Added to Trial

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on October 29, 2008
in DNSSEC News

We have added an additional resolver to test against running a different DNS application server. Please feel free to test against this server and provide feedback.

Tags: DNSSEC

Initial Public DNSSEC Trial Announced

Posted by Comcast
Comcast
Comcast Corporation (Nasdaq: CMCSA, CMCSK) (www.comcast.com) is one of the world’s leading media, entertainmen...
User is currently offline
on October 01, 2008
in DNSSEC News

This trial is being conducted by the Internet Services team, in National Engineering & Technical Operations. Given the move by the .GOV Top Level Domain (TLD), as well as the coordinated activities of the public sector, private sector, industry groups, and other non-governmental organizations regarding other TLDs implementing DNSSEC, we have started a production trial to evaluate a move to DNSSEC by large ISPs. As of October 1, 2008, we have made available a DNSSEC resolver for anyone in the Internet community to test against. In addition, as we perform testing, decide how to deploy DNSSEC resolvers widely, and how to sign our own zones, we will be building documentation about our experiences, and intend to share this with the Internet community at large.

Tags: DNSSEC
This 
server cluster is functioning properly.This server cluster is functioning 
properly.
RSS Feed
Share this page on the social networks