Back in October 2010, I posted on our blog that we were beginning our deployment of Domain Name System Security Extensions (DNSSEC), as part of an evolving suite of security protections that are part of Comcast Constant Guard™.
ISPs play two roles in DNSSEC. The first role is perhaps the most critical, which is validating DNSSEC as part of the DNS lookups performed for our customers. These lookups occur when a customer tries to access a site, such as www.paypal.com. Then, when a customer tries to connect to that website, a Comcast DNS server checks that domain name, and verifies that signature to ensure that it is valid and has not been tampered with by hackers or other criminals. The second role is to cryptographically sign the domain names that we own, such as comcast.com, so that when our customers or others using DNSSEC try to connect to services in those domains they can validate the security of the associated DNS responses.
Since 2010, our deployment has steadily progressed and we have reached a couple of significant milestones. First, Comcast owns thousands of domains such as comcast.com. We have now cryptographically signed more than 5,000 of our domains, representing over 90% of our domain names. Second, we now have 50% of our 17.8M Internet customers using our DNSSEC-validating servers. We expect to complete signing all of our domain names and having all of our customers use our DNSSEC-validating servers in early 2012.
Now that millions of Internet users in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially for commerce and banking-related sites, to begin signing their domain names. PayPal has already taken this important step, which we applaud, and we encourage other domains to follow their lead.