Tuesday, Comcast announced a public trial that any Comcast cable Internet access user can participate in. And a year from now, DNSSEC validation will be rolled out throughout all of Comcast's DNS resolvers. Comcast will also be signing all of the domains it hosts, including comcast.com, comcast.net, and xfinity.com.

The DNSSEC extensions to the DNS protocol make it possible for a validating server or a validating host to determine whether information in the Domain Name System is legitimate or not, the same way that it's possible to determine whether a signed e-mail message did indeed come from the holder of the e-mail address. In the past, it was trivial to inject fake information in DNS servers.

The most egregious holes were fixed, but 18 months ago Dan Kaminsky showed that it's still possible to "poison" DNS servers, and this time the problem wasn't completely or easily fixable. DNS poisoning allows attackers to redirect HTTP and other requests to any address they choose. The authentication in SSL (used in HTTPS and other secure protocols) can detect this and throw up a warning, but relying on SSL warnings against network attacks is about as effective as relying on abstinence against teen pregnancy. A DNS server that validates DNSSEC on the other hand, filters out any fake information that may have been injected, and the user is never tempted to click away a warning.

In order for DNSSEC to work, the complete naming hierarchy must be signed. So if a server wants to make sure that xfinity.com really maps to 68.87.85.132, it needs to check the signature for the xfinity.com and also .com and "the dot" or the root of the DNS hierarchy. As mentioned above, Comcast will take care of xfinity.com. Verisign will sign .com and .net in 2011 and others, such as .org and .se, have already signed their "zones." The DNS root is expected to be signed in July. At this point, two of the root servers already respond to RRSIG and DNSKEY queries for the root, but apparently some more work is necessary:

. 86400 IN DNSKEY 256 3 8 AwEAAa1Lh++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ +++++++8

Until everything is in place, Comcast will use an ad-hoc list of trust anchors maintained by IANA, the Internet Assigned Numbers Authority. (The people who keep track of protocol numbers for the IETF.) Like adding IPv6 addresses to the root, adding DNSSEC information will make certain DNS responses larger, which old DNS servers may not like. And if the responses are really big—not hard with all these signatures and keys—DNS queries have to be repeated over TCP, and firewall admins may be unaware of the fact that the DNS may use TCP as well as UDP.

For all the Comcast users that don't want to wait until DNSSEC validation is rolled out on Comcast's production DNS resolvers, you can participate in the trial by setting your DNS server addresses to 75.75.75.75 and 75.75.76.76. (Those don't work from outside Comcast's network.) Unfortunately, Comcast doesn't identify any test cases that show a difference between a DNSSEC validated response and a regular DNS response. Comcast provides some guidance:

We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC

Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented

The DNSSEC trial servers we are announcing today do not have Comcast Domain Helper's DNS redirect functionality enabled.

Comcast is the first major ISP in the US to make DNSSEC validation available to its users.