NNSquad - Network Neutrality Squad
[ NNSquad ] Comcast Expands DNSSEC Trial, Announces Implementation Plans
----- Forwarded message from Dave Farber <dave@farber.net> ----- Date: Tue, 23 Feb 2010 11:46:06 -0500 From: Dave Farber <dave@farber.net> Subject: [IP] Comcast Expands DNSSEC Trial, Announces Implementation Plans Reply-To: dave@farber.net To: ip <ip@v2.listbox.com> Begin forwarded message: > From: Jason Livingood <jason_livingood@cable.comcast.com> > Date: February 23, 2010 11:21:42 AM EST > To: Dave Farber <dave@farber.net> > Subject: Comcast Expands DNSSEC Trial, Announces Implementation Plans > > Dave – For IP if you wish: > > We just added a new post to our blog > (http://blog.comcast.com/2010/02/dnssec.html) that summarizes our plan > to implement DNSSEC validation in the DNS servers that our customers > use, as well as for the signing of authoritative domains such as > comcast.com. We are also announcing an expansion of our DNSSEC trial. > > First, we plan to sign the domain names we manage, such as xfinity.com, > by the end of the first quarter of 2011, if not sooner. While we are > already signing several domains today on a trial basis, such as > comcast.org, this is our goal for signing the full range of domains that > we own (there are thousands). > > Second, by the end of 2011, if not sooner, we plan to implement DNSSEC > validation in all of the recursive DNS servers (a.k.a. caching servers) > that our customers use every day. Customers will not need to make any > changes to their configurations in order to take advantage of that; this > will automatically occur via DHCP lease updates at that time. > > Third, Comcast customers who would like to start using a DNSSEC- > validating DNS server today, can immediately do so on an opt-in basis as > the next step in our DNSSEC technical trials. Details are at > http://www.dnssec.comcast.net. The servers supporting this are > operating in our production network, not a trial network, and are > deployed nationally in the same locations as our other DNS servers that > customers use everyday. > > We hope that by announcing our DNSSEC plans, and immediately making > available our Anycast-based DNSSEC-validating servers, we will catalyze > other stakeholders to really focus on DNSSEC, and do their share to > ensure we collectively have a secure foundation for the Internet. Just > as with IPv6, it's time for organizations to get serious about DNSSEC > and today we take another step in doing our share to move the Internet > community ahead. > > Finally, I'd like to anticipate one question some readers of IP might > ask, which is how we reconcile the use of DNS redirect as used in > Comcast Domain Helper (and as described in > http://tools.ietf.org/html/draft-livingood-dns-redirect), with our plan > to implement DNSSEC. The answer is that we believe that DNSSEC is > basically incompatible with current DNS redirect technology. We have > always known this and we expect that one result of turning on DNSSEC > validation will be that Domain Helper's DNS redirect functionality will > need to be disabled, absent any additional IETF standards work or other > technology advances (and we're not aware of any work on either of these > fronts). I anticipate updating our IETF draft on this subject soon, but > probably will not have time to do so until after IETF 77, which takes > place in late March. > > For more information on the DNSSEC deployment at Comcast, please check > out http://www.dnssec.comcast.net. > > Regards, > > Jason Livingood > Internet Systems Engineering > Comcast ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com ----- End forwarded message -----