For the past couple years, Comcast has been testing and advocating for the widespread adoption of DNS Security extensions (also known as DNSSEC). If you don’t know what DNSSEC is, you’re probably not alone. Basically, it allows websites to secure their domain information so that ISPs can validate and make sure nothing has been tampered with. This prevents hackers from injecting false information (aka DNS ‘poisoning’) that re-directs you to a fake or nefarious site. The process needed to secure domains as well as validate them is very complex and that is why we are taking time over the next year to make sure everything works.
We plan to implement DNSSEC for the websites we manage, such as comcast.com, comcast.net and xfinity.com, by the first quarter of 2011, if not sooner. By the end of 2011, we plan to implement DNSSEC validation for all of our customers. You won’t need to make any changes to start using DNSSEC; it will happen automatically if you are currently using our DNS.
If you don’t want to wait until 2011, you can participate in our DNSSEC customer trial, which starts today. Opt-in by changing your DNS server IP addresses to 22.214.171.124 and 126.96.36.199 (we’ll be adding IPv6 addresses soon). The servers supporting this are deployed nationally in the same locations as our other DNS servers that millions of customers use everyday.
As the nation’s largest ISP, we have spent a lot of time in the last few years making our DNS the best and most secure platform on the Internet. We hope that our efforts in DNSSEC will encourage others to adopt similar measures to strengthen Internet security.