Comcast

Menu
Support XFINITY Internet About Domain Name System Security Extensions (DNSSEC)

Introduction

What you need to know about DNSSEC.

DNSSEC is enhanced security

DNSSEC (Domain Name System Security Extensions) is part of Constant Guard, which helps provide you with the best and safest online experience possible. It allows websites and ISPs to validate domain names to ensure they haven’t been tampered with.

With DNSSEC, a website name such as www.comcast.net is signed into the Domain Name System (DNS). Then, when you try to connect to that website, the Comcast DNS servers verify its security signature. You will only be connected if the website passes the verification process, which happens so quickly you shouldn’t even notice that it’s being done. This process prevents hackers from re-directing you to fake, phishing or criminal sites.

While some third party DNS servers do not currently feature this process, performing such security validation is a best practice. Any DNS server operators not yet performing this global security standard will likely do so soon. (They may be restrained by technical limitations that will soon be remedied.)

Your new IP address

We have moved all customers to new DNSSEC servers. As a result, customers will see a new DNS IP address of either 75.75.75.75 or 75.75.76.76. You don't need to do anything to initiate this change and there is no change to your current service.

Validation failure

When validation fails on a domain name you are looking up, you’ll receive a “page not found” or “server not found” error. This is not something we can fix. We are following all relevant Internet standards and DNS Security Extensions guidelines in sending this error message. Since DNS security validation has failed, it would no longer be safe to send you to the site.

In order for you to gain access to the destination site, the site’s administrators need to resolve the issue. You may want to contact them to advise them of the problem, although it is likely that they are aware of the condition.

We strongly recommend against changing your DNS servers to ones that do not perform DNSSEC validation in order to access the site. Such a failure can be indicative of some sort of security problem that could result in your computer being infected with malware or other malicious viruses. In cases where DNS records have been spoofed or falsified, DNS records for any SSL certificates may have been spoofed or otherwise modified as well. Therefore, it is not sufficient to depend upon SSL encryption between your computer and the destination server or a third-party SSL certificate. You can see what may be failing DNSSEC validation by using a diagnostic tool such as DNSViz.net.

Find this article at:

http://customer.comcast.com/help-and-support/internet/domain-name-system-security-extensions/