NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Comcast Expands DNSSEC Trial, Announces Implementation Plans

----- Forwarded message from Dave Farber <dave@farber.net> -----

Date: Tue, 23 Feb 2010 11:46:06 -0500
From: Dave Farber <dave@farber.net>
Subject: [IP] Comcast Expands DNSSEC Trial, Announces Implementation Plans
Reply-To: dave@farber.net
To: ip <ip@v2.listbox.com>

Begin forwarded message:

> From: Jason Livingood <jason_livingood@cable.comcast.com>
> Date: February 23, 2010 11:21:42 AM EST
> To: Dave Farber <dave@farber.net>
> Subject: Comcast Expands DNSSEC Trial, Announces Implementation Plans

> Dave – For IP if you wish:
> We just added a new post to our blog 
> (http://blog.comcast.com/2010/02/dnssec.html) that summarizes our plan 
> to implement DNSSEC validation in the DNS servers that our customers 
> use, as well as for the signing of authoritative domains such as 
> comcast.com.  We are also announcing an expansion of our DNSSEC trial.
> First, we plan to sign the domain names we manage, such as xfinity.com, 
> by the end of the first quarter of 2011, if not sooner.  While we are 
> already signing several domains today on a trial basis, such as 
> comcast.org, this is our goal for signing the full range of domains that 
> we own (there are thousands).
> Second, by the end of 2011, if not sooner, we plan to implement DNSSEC 
> validation in all of the recursive DNS servers (a.k.a. caching servers) 
> that our customers use every day. Customers will not need to make any 
> changes to their configurations in order to take advantage of that; this 
> will automatically occur via DHCP lease updates at that time.
> Third, Comcast customers who would like to start using a DNSSEC- 
> validating DNS server today, can immediately do so on an opt-in basis as 
> the next step in our DNSSEC technical trials.  Details are at 
> http://www.dnssec.comcast.net.  The servers supporting this are  
> operating in our production network, not a trial network, and are  
> deployed nationally in the same locations as our other DNS servers that 
> customers use everyday.
> We hope that by announcing our DNSSEC plans, and immediately making  
> available our Anycast-based DNSSEC-validating servers, we will catalyze 
> other stakeholders to really focus on DNSSEC, and do their share to 
> ensure we collectively have a secure foundation for the Internet.  Just 
> as with IPv6, it's time for organizations to get serious about DNSSEC 
> and today we take another step in doing our share to move the Internet 
> community ahead.
> Finally, I'd like to anticipate one question some readers of IP might 
> ask, which is how we reconcile the use of DNS redirect as used in 
> Comcast Domain Helper (and as described in 
> http://tools.ietf.org/html/draft-livingood-dns-redirect), with our plan 
> to implement DNSSEC.  The answer is that we believe that DNSSEC is 
> basically incompatible with current DNS redirect technology.  We have 
> always known this and we expect that one result of turning on DNSSEC 
> validation will be that Domain Helper's DNS redirect functionality will 
> need to be disabled, absent any additional IETF standards work or other 
> technology advances (and we're not aware of any work on either of these 
> fronts).  I anticipate updating our IETF draft on this subject soon, but 
> probably will not have time to do so until after IETF 77, which takes 
> place in late March.
> For more information on the DNSSEC deployment at Comcast, please check 
> out http://www.dnssec.comcast.net.
> Regards,
> Jason Livingood
> Internet Systems Engineering
> Comcast

Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

----- End forwarded message -----