What lessons did Comcast learn in rolling out DNSSEC validation to their 18 million subscribers in the US? Did they have to make any changes to their network? What happened as they scaled up their deployment?
These were some of the many questions addressed by Comcast’s Chris Griffiths at the ICANN 45 DNSSEC Deployment Workshop on October 17, 2012, in his presentation titled, “DNSSEC Activities in North America: Comcast“.
Chris outlined how Comcast began working with DNSSEC and where it is today, but more importantly he highlighted questions that network operators need to be thinking about and discussed some of the issues they have seen. He also mentioned Comcast’s site at http://dns.comcast.net/ where they are now listing sites that are experiencing DNSSEC problems.
At the end, Chris highlighted some of the challenges they still see, such as dealing effectively with load balancers and content distribution networks, as well as solving the upload of DS records to many different registrars.
The slides are well worth reviewing and if you want to hear Chris’ presentation, the audio recording of the entire day is available from ICANN’s website (you’ll just need to jump ahead to Chris’ section).
We definitely appreciate that not only is Comcast deploying DNSSEC, but they are also having people like Chris go out and speak at technical forums about what they have done. Sure, it’s good publicity for them, but the information that they have learned is immensely valuable to share as a case study, and will only help expand the deployment of DNSSEC.
Now, we just need to see more network operators giving case study presentations like this! 🙂