Comcast DNSSEC Trial

November 18, 2008: A new link has been added to list all keys that are loaded on the recursive resolvers. We will update this list as more keys are made aavailable. We are also upgrading the Unbound server to the latest 1.1.0 release which supports DLV. Once this is upgrade, we will change the status on that server.

November 17, 2008: We have added a third additional resolver to test against running a different DNS application server. We have also updated the descriptions on each server to identify what DNS application server each server is running.

October 29, 2008: We have added an additional resolver to test against running a different DNS application server. Please feel free to test against this server and provide feedback.

October 1, 2008: This trial is being conducted by the Internet Services team, in National Engineering & Technical Operations. Given the move by the .GOV Top Level Domain (TLD), as well as the coordinated activities of the public sector, private sector, industry groups, and other non-govermental organizations regarding other TLDs implementing DNSSEC, we have started a production trial to evaluate a move to DNSSEC by large ISPs. As of October 1, 2008, we have made available a DNSSEC resolver for anyone in the Internet community to test against. In addition, as we perform testing, decide how to deploy DNSSEC resolvers widely, and how to sign our own zones, we will be building documentation about our experiences, and intend to share this with the Internet community at large.

Download the Comcast DNSSEC Public Key:

Please choose your DNS server and download our DNSSEC key. We have included this in a mininum configurations needed for each platform.

1 - Bind DNSSEC configuration/key for dnssec.comcast.net
2 - Nominum Vantio DNSSEC configuration/key for dnssec.comcast.net
3 - Unbound DNSSEC configuration/key for dnssec.comcast.net

Testing Against DNSSEC-Enabled DNS Resolvers:

We have deployed DNSSEC-enabled DNS caching servers in our production network. If you would like to test our DNSSEC resolvers for signed domains, please point your DNS requests to:

IP Address: 68.87.64.154
FQDN of Server: phil-dnssec-trial.inflow.pa.bo.comcast.net
DNS Application: Nominum Vantio

IP Address: 68.87.68.170
FQDN of Server: atlt-dnssec-trial.s3woodstock.ga.atlanta.comcast.net.
DNS Application: ISC BIND - DLV Enabled

IP Address: 68.87.69.154
FQDN of Server: bvrt-dnssec-trial.beaverton.or.bverton.comcast.net.
DNS Application: Unbound - DLV Enabled

Configured Keys on all three DNSSEC enabled resolvers

DNSSEC References and Further Information:

1 - DNSSEC Deployment Coordination Initiative
2 - DNSSEC-Tools Website
3 - DNSSEC Security Extensions Website
4 - IETF: DNS Extensions Working Group
5 - IETF: DNS Operations Working Group
6 - CircleID: DNSSEC News Roundup
7 - NTIA: DNSSEC Notice of Inquiry (comments due 11/24/2008)
8 - Announcement of Intent to Implement DNSSEC in .GOV TLD in 2009

©2008 Comcast Cable Communications, LLC. All rights reserved. DNSSEC trial questions? Email us