Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:34 PM
Connect Directly

Comcast Internet Service Now Fully DNSSEC-Based

ISP finishes its rollout of the DNS security protocol

Comcast today became one of the first major ISPs in North America to fully run the Domain Name System Security Extensions (DNSSEC) protocol as part of its services.

Jason Livingood, vice president of Internet systems in Comcast's network and operations, today blogged that DNSSEC is now part of its Comcast Constant Guard from Xfinity service. That means that nearly 18 million residential customers of the Xfinity Internet service are using DNS servers that use DNSSEC validation. Comcast's more than 5,000 domain names are also now digitally signed by DNSSEC.

DNSSEC has been gradually rolling out across the Internet over the past year or so. Several major top-level domains, including .com, .org, .net, and .gov, are now DNSSEC-enabled. DNSSEC is a protocol for preventing attackers from redirecting users to malicious websites by redirecting them -- it basically ensures DNS entries remain unchanged in transit and are digitally signed to ensure their authenticity.

[After a sluggish start, DNSSEC is finally catching on after more than a decade in the making. See DNSSEC Finally Comes To .com, But Secure DNS Still Has A Long Way To Go .].

"Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names. While in the past those domains may have wanted to do so but felt it would have limited effect, they now can work on signing their domains knowing that the largest ISP in the U.S. can validate those signatures on behalf of our customers," Livingood said in his post.

Security expert Dan Kaminsky, who discovered a major DNS caching vulnerability in 2008 that helped expedite DNSSEC's adoption, says he's thrilled that Comcast has stepped up and implemented the protocol. "DNSSEC is the proper fix to my 2008 attack, and I am extremely proud of Comcast for taking this step to protect their users," Kaminsky says. "I am particularly happy that they correctly judged the importance of genuine responses higher than their minor income stream from injecting advertisements.

"The integrity of the DNS is of critical importance to present and future security technologies, and Comcast has done their users a service by investing in DNSSEC," he says.

Now when a Comcast subscriber visits a website, Comcast's DNS servers confirm the domain name and check that its signature is valid and legitimate. Comcast also cryptographically signs its own domain names, like xfinity.com.

Comcast traditionally has been ahead of the curve in security for ISPs. More than two years ago, it was one of the first to employ a bot-notification service that notifies customers whose machines it spots as bot-infected. It then directs the infected user to the antivirus center, where he follows directions to remove the bot malware.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-18
In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in the ipsec packet processor allows reinjection of an old packet to be accepted by the ipsec endpoint. Depending on the higher-level protocol in use over ipsec, this could allow an action to be repeated.
PUBLISHED: 2020-02-18
In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r357214, and 11.3-RELEASE before 11.3-RELEASE-p6, URL handling in libfetch with URLs containing username and/or password components is vulnerable to a heap buffer over...
PUBLISHED: 2020-02-18
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
PUBLISHED: 2020-02-18
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
PUBLISHED: 2020-02-18
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.