www.DNSSEC.Comcast.net

Frequently Asked Questions

1. What is DNSSEC?
2. What happened to Comcast Domain Helper, which offered DNS redirect services, when you fully implemented DNSSEC?
3. What happens if I try to access a website that fails DNSSEC validation?
4. Will client software like a web browser indicate if DNSSEC is in use?
5. What messages will the Firefox DNSSEC Validator show?
6. How can I validate whether or not I am using the DNSSEC servers?
7. I think a website failed to validate. How can I tell for sure?

What is DNSSEC?

• DNSSEC is an enhanced level of Internet security that allows Websites and ISPs to validate domain names to ensure they are correct and not tampered with. This prevents hackers from injecting false information (aka DNS cache 'poisoning'), to attempt to re-direct people trying to access a real website to a fake, phishing or criminal site.
• An informative video can be found here.

What happened to Comcast Domain Helper, which offered DNS redirect services, when you fully implemented DNSSEC?

• The web error redirection function of Comcast Domain Helper was technically incompatible with DNSSEC.
• An old IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, reflected our views on this incompatibility.
• Comcast has always known this and planned to turn off such redirection when DNSSEC was fully implemented, which we did on January 9, 2012.

What happens if I try to access a website that fails DNSSEC validation?

• If using a web browser you will see an error message, such as "Server Not Found." (The exact result will vary from browser to browser.)
• An example of what such an error will look like can be found below (see larger version):
  
• If your client has a DNSSEC indicator, though, your experience may look different. See the next FAQ for more details.

Will client software like a web browser indicate if DNSSEC is in use?

• There are few end user clients that will show you when DNSSEC is being used by a domain, but we expect that to change as more of our customers and the customers of other large ISPs move to DNSSEC.
• This low level of client-based DNSSEC user interface indication is one of the reasons that, on October 13, 2010, we announced that we donated funds to the NLnet Foundation's DNS Security Fund, which can provide development funding for open source developers.
• There are DNSSEC Validator extensions for some browsers. For example, here is a Firefox extension, and appears to also be in Google Chrome.
• To see what the Firefox add-in looks like, see this FAQ.

What messages will the Firefox DNSSEC Validator show?

• As noted above, the DNSSEC Validator add-in, available here does display a visual indicator of DNSSEC status.
• Here is an example of what a domain secured with DNSSEC looks like, with the indication expanded:
  
• Here is an example of what a DNSSEC failure looks like, with the indication expanded:
  

How can I validate whether or not I am using the DNSSEC servers?

• Try to access this website: http://www.dnssec-failed.org/
• If you can access the site and get a valid web page, then you ARE NOT using a DNSSEC-validating DNS server.
• If you get a "Server Not Found" error as shown above, then you ARE using a DNSSEC-validating DNS server.
• Another site to try is DNSSEC Or Not

I think a website failed to validate. How can I tell for sure?

• Use a testing tool like Sandia National Lab's DNSViz, at http://dnsviz.net/.
• For example, here is an example of the validation failure of www.dnssec-failed.org at
  http://dnsviz.net/d/www.dnssec-failed.org/dnssec/.
• Use a testing tool like Verisign Labs' DNSSEC Debugger, at http://dnssec-debugger.verisignlabs.com/.
• For example, here is an example of the validation failure of www.dnssec-failed.org at
  http://dnssec-debugger.verisignlabs.com/dnssec-failed.org.
If a site fails DNSSEC validation, they either have some security problem or have misconfigured their domain.