Comcast & DNSSEC validation


I’m getting multiple reports of Comcast users reporting my sites as unreachable. If they run traceroutes on the affected domains they all die at comcast. I’ve filed an “unblock” request for the domain I’m getting the most complaints about, but no response from Comcast.

Googling around in frustration I found a blog post that says that Comcast is using DNSSEC validation. Running one domain against a DNSSEC analysis tool reports several discrepancies.

If this is the source or reason for the Comcast blocks of my domains, are any of the results under my control – in other words do I fix them personally somehow – or is this under DH control?

Sample results:

[quote] FAIL No DS records found for in the org zone
FAIL No DNSKEY records found
PASS A RR has value nnn.nnn.nnn.nnn
FAIL No RRSIGs found
FAIL No RRSIGs found
FAIL No RRSIGs found[/quote]


We don’t currently use DNSSEC signing on any of our domains. Very few hosts or web sites do at this point, though, so that’s almost certainly not the issue.

Please contact our support team. If you’ve got traceroute results from your users, include those — they’d be extremely helpful.


Thanks for the DNSSEC info.

I opened a support ticket but the response was “We would need clarification of what the “bad action” was that Comcast claims to have caused them to block the site. We cannot control Comcast, or their behavior, but we will investigate any bad actions reported.”

Since I don’t know why Comcast is blocking I don’t really know what to tell support, other than we’re being blocked – which was why I opened the ticket in the first place. I do have a traceroute one of my savvier forum members sent, and it shows the request dying at Comcast. I guess I will try another ticket.