Comcast DNSSEC Trial
August 11, 2009: We have deployed the IANA ITAR anchors to the Nominum Vantio and NLnet Labs Unbound resolvers. We are still working on the configuration for ISC BIND 9.6. We have also signed mycomcast.org and comcastbusiness.org and are working to have the DS records inserted in the ORG registry for additional testing. Once this has been completed, we will be able to validate these zones using the ITAR repository and DLV registry without having to have a trust anchor key on our resolvers for these zones.
July 27, 2009: It has been a while since we updated this page and there are some major updates on the DNSSEC front and our testbed and we wanted to give a quick update. IANA has launched the ITAR and we are in process of upgrading our test resolvers to use this system to load the keys in their repository. We will post when this process is completed, and which resolvers are using ITAR will be posted below.
November 18, 2008: A new link has been added to list all keys that are loaded on the recursive resolvers. We will update this list as more keys are made aavailable. We are also upgrading the Unbound server to the latest 1.1.0 release which supports DLV. Once this is upgrade, we will change the status on that server.
November 17, 2008: We have added a third additional resolver to test against running a different DNS application server. We have also updated the descriptions on each server to identify what DNS application server each server is running.
October 29, 2008: We have added an additional resolver to test against running a different DNS application server. Please feel free to test against this server and provide feedback.
October 1, 2008: This trial is being conducted by the Internet Services team, in National Engineering & Technical Operations. Given the move by the .GOV Top Level Domain (TLD), as well as the coordinated activities of the public sector, private sector, industry groups, and other non-govermental organizations regarding other TLDs implementing DNSSEC, we have started a production trial to evaluate a move to DNSSEC by large ISPs. As of October 1, 2008, we have made available a DNSSEC resolver for anyone in the Internet community to test against. In addition, as we perform testing, decide how to deploy DNSSEC resolvers widely, and how to sign our own zones, we will be building documentation about our experiences, and intend to share this with the Internet community at large.
Download the Comcast DNSSEC Public Key:
Please choose your DNS server and download our DNSSEC key. We have included this in a mininum configurations needed for each platform.
1 - ISC Bind DNSSEC configuration/key for dnssec.comcast.net2 - Nominum Vantio DNSSEC configuration/key for dnssec.comcast.net
3 - NLnet Labs Unbound DNSSEC configuration/key for dnssec.comcast.net
Testing Against DNSSEC-Enabled DNS Resolvers:
We have deployed DNSSEC-enabled DNS caching servers in our production network. If you would like to test our DNSSEC resolvers for signed domains, please point your DNS requests to:
IP Address: 68.87.64.154
FQDN of Server: phil-dnssec-trial.inflow.pa.bo.comcast.net
DNS Application: Nominum Vantio - IANA ITAR Enabled
IP Address: 68.87.68.170
FQDN of Server: atlt-dnssec-trial.s3woodstock.ga.atlanta.comcast.net.
DNS Application: ISC BIND - DLV Enabled
IP Address: 68.87.69.154
FQDN of Server: bvrt-dnssec-trial.beaverton.or.bverton.comcast.net.
DNS Application: NLNet Labs Unbound - IANA ITAR and DLV Enabled
Configured Keys on all three DNSSEC enabled resolvers
DNSSEC References and Further Information:
1 - DNSSEC Deployment Coordination Initiative2 - DNSSEC-Tools Website
3 - DNSSEC Security Extensions Website
4 - IETF: DNS Extensions Working Group
5 - IETF: DNS Operations Working Group
6 - CircleID: DNSSEC News Roundup
7 - NTIA: DNSSEC Notice of Inquiry (comments due 11/24/2008)
8 - Announcement of Intent to Implement DNSSEC in .GOV TLD in 2009