In a blog post, Comcast said it has deployed DNS Security Extensions โ dubbed DNSSEC โ throughout its nationwide network and will immediately make validating servers available to any of its customers that want to experiment with this emerging security technique.
In addition to this public trial of DNSSEC validation services, Comcast says it will digitally sign all of its own domain names โ more than 5,000 in total โ using DNSSEC by the first quarter of 2011.
Philadelphia-based Comcast is a cable provider with about 26 million television and 16 million Internet subscribers in 39 U.S. states.
By the end of 2011, Comcast says it will have production-quality DNSSEC resolution services available to all of its business and residential customers.
โThere is often talk about a chicken-and-egg sort of problem with DNSSEC. People donโt want to sign their own domains with DNSSEC until people are validating signatures,โ says Jason Livingood, Executive Director of Internet Systems Engineering at Comcast. โWe want to explain how we as an ISP have a road map for validating signatures with DNSSEC.โ
DNSSEC is an Internet standard that prevents spoofing attacks by allowing Web sites to authenticate their domain names and corresponding IP addresses using digital signatures and public-key encryption. When DNSSEC is fully deployed, Internet users will be able to verify that the Web sites they visit are digitally signed.
On this side of the border, a spokesperson for Bell Canada Enterprises (BCE) Inc. said the telco is โmonitoringโ DNSSEC but is โnot in a position to comment on any deployments at this time.โ
Rogers Communications Inc. has โno immediate plans for DNSSEC,โ a spokesperson for the Toronto cable company stated in an email.
DNSSEC โis a more significant a considerationโ in networks using Internet Protocol version 6 (IPv6), the spokesperson wrote.
Comcast is believed to be the first U.S. carrier to announce plans to support resolution of DNSSEC queries for its customers as well as to sign its own domain names using DNSSEC.
โThere are no large U.S. ISPs that have been publicly resolving and signing using DNSSEC in a large trial. But there are lots of people doing small little tests of DNSSEC,โ says Paul Hoffman, Director of the VPN Consortium and an active participant in DNSSEC standards development work by the Internet Engineering Task Force.
Hoffman says until now no U.S. carrier has committed to DNSSEC resolution, which could be a stumbling block to DNSSEC deployment.
โMany people have been worried that there would be a lot of people signing their domain names, and no one checking for the resolution,โ Hoffman says. โA major ISP doing both halves of the equation with DNSSEC is a big deal.โ
DNSSEC is a hierarchical system, and it requires authentication at every step in the process of matching a domain name with the corresponding IP address. In order for a user to receive an authenticated response from a popular Web site such as amazon.com, DNSSEC needs to be deployed on the Internetโs root servers, the .com domain servers operated by VeriSign, and the DNS servers operated by Amazon or its Web-hosting company. Consumers who visit Amazonโs Web site also need their ISPs to validate the digital signature they receive.
DNSSEC is in the process of being deployed across the Internetโs infrastructure. The DNS root servers will be signed in July, and VeriSign has committed to supporting DNSSEC on the .com and .net servers by early 2011. The U.S. federal government is deploying DNSSEC across the .gov domain, and the Public Interest Registry is supporting DNSSEC in .org.
Once the DNS root servers as well as popular top-level domains such as .com and .net are signed, DNSSEC is expected to be widely adopted by Web site operators such as Amazon.
Until now, U.S. ISPs have been slow to commit to DNSSEC. Thatโs why Comcastโs DNSSEC announcement is significant.
โThe intention of the trial is to see what things [happen] operationally with DNSSEC and to get ready to do this for the entire customer base once the root is signed and once the major top-level domains are signed,โ Livingood says.
Comcast said its public trial of DNSSEC includes immediate availability of DNSSEC validating servers using an Internet addressing and routing scheme known as Anycast.
Comcast has 12 sites across its network that process and cache DNS queries, and all 12 of these locations will handle DNSSEC resolution during the public trial.
โOur subscribers should be able to expect the same level of service for our DNSSEC servers as with our regular DNS servers,โ Livingood says. He added that โthe critical difference with this trial is that DNSSEC will be on the servers that are very close to the customers just as the nomral DNS servers are so they wonโt see a performance hit when they are using these on a trial basis.โ
Until the DNS root servers are signed, Comcast will use whatโs called a trust anchor repository to validate DNSSEC queries at the top of the DNS tree. Comcast is using IANAโs trust anchor repository for its public DNSSEC trial.
Comcast is promising an easy transition to production-level DNSSEC resolution services for its customers.
โWhen we turn on DNSSEC for all of our customers nationally in 2011, it will happen automatically,โ Livingood says. โWe will have tested it, and it will be seamless. People will not have to change their IP addresses. It will all occur behind the scenes.โ
Comcast also revealed its roadmap for signing its own domain names by March 2011. Comcast already has end-to-end DNSSEC validation on several domains including comcast.org, mycomcast.org and comcastbusiness.org .
โWe have 5,000 top-level domains that we manage like Comcast.net that weโre talking about signing,โ says Chris Griffiths, manager for high-speed Internet engineering at Comcast.
Comcast is using Nominumโs authoritative DNS software for its DNSSEC trial and deployment.
โComcast is one of Nominumโs largest DNS customers and has long been a model for the industry on how to do DNS right,โ Nominum said in a statement. โTheir plan to deploy our DNSSEC solution to combat cache poisoning and help mitigate other online threats is a significant milestone in the evolution of DNS technology and will help make the Internet a safer place for everyone.โ
Comcast said that the cost of deploying DNSSEC for both resolving queries and signing its domains is minimal.
โItโs not a huge investment,โ Livingood says. โWe upgraded the hardware on the servers in the past six months to be able to handle the computational load for signing this number of domains. But it hasnโt required a substantial investment, although we have been working closely with our vendors to make sure the tools were easy to use and that it was not an onerous process.โ
Comcast has been experimenting withย DNSSEC since 2008, when a high-profile flaw in the DNS โ commonly known as the Kaminsky Bug โ was revealed. DNSSEC is the only long-term fix for preventing Kaminsky-style attacks.
โBack then, we started working on all the operational issues of how difficult it is to sign zones, how difficult it is to do key roll-over and what are the challenges related to validating domains,โ Livingood says. โWe sent a lot of feedback to the vendors we useโฆWe think weโre at the stage where a lot of this stuffy is ready to use.โ
Comcast is hoping that its public trial of DNSSEC resolution services and its commitment to signing its own domains will prompt other carriers to follow suit.