"We plan to implement DNSSEC for the websites we manage, such as comcast.com, comcast.net and xfinity.com, by the first quarter of 2011, if not sooner. By the end of 2011, we plan to implement DNSSEC validation for all of our customers," Comcast said in a statement. "You won’t need to make any changes to start using DNSSEC; it will happen automatically if you are currently using our DNS."
DNSSEC is instrumental in stopping attackers from carrying out most of the well-known attacks on domain name system servers, including DNS cache poisoning. It works by digitally signing DNS responses, so that DNS servers know they're receiving responses from authorised sources.
Comcast has provided DNS server IP addresses for those customers who are interested in participating in trials before 2011. Changing primary and secondary DNS addresses to 75.75.75.75 and 75.75.76.76 will automatically switch them to the service. IPv6 addresses will be added soon, Comcast added.
The DNSSEC implementation will break Comcast's existing web error redirection system, called Comcast Domain Helper. It will be turning off the service when DNSSEC is fully implemented, it said.
Comcast originally began its DNSSEC trial in October 2008, following a decision by the .gov top level domain to implement the service. It originally provided a publicly available DNSSEC resolver for testing purposes.