USC/ISI Root Server Operations: Report on Compliance with RSSAC001 -- Service Expectations of Root Servers
Purpose and Structure of This Document
RSSAC-001 calls for the operators of DNS root name servers (“root server operators” or RSOs) to make certain commitments in operational practice and service delivery, and to document them, publicly to the extent possible.
B-Root is committed to meeting the expectations of RSSAC-001. We document this commitment below with detailed notes about each relevant section of RSSAC001. Further details about USC/ISI’s root server operations can additionally be found on our web page.
3.1 Infrastructure
(Section 3.1 of RSSAC 001)
[E.3.1-A] Individual Root Server Operators are to publish or continue to publish operationally relevant details of their infrastructure, including service-delivery locations, addressing information and routing (e.g., origin autonomous system) information.
Public information on the infrastructure, administration, and operation of USC/ISI’s root server is available at the shared root server operations website (https://www.root-servers.org, under the B tab at the bottom of the page) and our own page at https://b.root-servers.org. These pages include contact information, routing details, pointers to data repositories, and recent news.
[E.3.1-B] Individual Root Servers will deliver the service in conformance to IETF standards and requirements as described in RFC 7720 and any other IETF standards-defined Internet Protocol as deemed appropriate.
USC/ISI root name server operation complies with RFC 7720 (“DNS Root Name Service Protocol and Deployment Requirements”) and only deploys DNS software and services that meet the DNS protocol specifications. We require the same of any partners. For further details, see our our website.
3.2 Service Accuracy
(Section 3.2 of RSSAC 001)
[E.3.2-A] Individual Root Servers will adopt or continue to implement the current DNS protocol and associated best practices through appropriate software and infrastructure choices.
USC/ISI complies with best practices for hardware, software, configuration, and operation of its DNS servers.
[E.3.2-B] Individual Root Servers will serve accurate and current revisions of the root zone.
USC/ISI has publicly committed to this requirement for many years. See our “B-Root Statement of Operational Principles” page for further details.
[E.3.2-C] Individual Root Servers will continue to provide “loosely coherent” service across their infrastructure.
As stated in [E.3.2-A] above, USC/ISI complies with this requirement by using well-known and protocol-compliant software, and monitors the infrastructure to assure coherence.
[E.3.2-D] All Root Servers will continue to serve precise, accurate zones as distributed from the Root Zone Maintainer.
See [E.3.2-A], above.
3.3 Service Availability
(Section 3.2 of RSSAC 001)
[E.3.3-A] Individual Root Servers are to be deployed such that planned maintenance on individual infrastructure elements is possible without any measurable loss of service availability.
USC/ISI meets this requirement in its procedures for planned maintenance.
[E.3.3-B] Infrastructure used to deploy individual Root Servers is to be significantly redundant, such that unplanned failures in individual components must not cause the corresponding service to become generally unavailable to the Internet.
USC/ISI root server operations substantially meet this requirement since deploying our second site in a geographically distant location from our first (in 2017).
[E.3.3-C] Each Root Server Operator shall publish documentation that describes the operator’s commitment to service availability through maintenance scheduling and its commitment to the notification of relevant operational events to the Internet community.
USC/ISI publishes descriptions of any recent service-affecting events, and upcoming maintenance plans, on the B-Root information site at at https://b.root-servers.org/news.html. If ever it is anticipated that maintenance will affect user-visible operation of the root name service we operate, we announce it to appropriate network operations mailing lists as well.
3.4 Service Capability
(Section 3.4. of RSSAC001)
[E.3.4-A] Individual Root Server Operators will make all reasonable efforts to ensure that sufficient capacity exists in their deployed infrastructure to allow for substantial flash crowds or denial of service (DoS) attacks.
USC/ISI has made significant investment in infrastructure that can handle rapid, substantial changes in demand, whether for legitimate use (‘flash crowds’) or in an attack. We’re continung to expand capacity with planned deployments of both dedicated infrastructure and cloud-based resources.
[E.3.4-B] Each root server operator shall publish documentation on the capacity of their infrastructure, including details of current steady-state load and the maximum estimated capacity available.
USC/ISI publishes steady-state load and other operational statistics as specified in RSSAC002v3, “RSSAC Advisory on Measurements of the Root Server System” on our website at https://b.root-servers.org/rssac/.
We choose not to publish maximum estimated capacity out of concern that information would assist DDoS attackers.
3.5 Operational Security
(Section 3.5 of RSSAC001)
[E.3.5-A] Individual Root Server Operators will adopt or continue to follow best practices with regard to operational security in the operation of their infrastructure.
USC/ISI is committed to following best practices with regards to secure infrastructure provisioning and operation.
[E.3.5-B] Root Server Operators shall publish high-level business continuity plans with respect to their Root Server infrastructure.
USC is a large, stable organization which has supported its root server to date and plans to continue that support into the future. If the situation changes, we will discuss the impact in advance with the other RSOs and with the ICANN community.
3.6 Diversity of Implementation
(Section 3.6 of RSSAC 001)
[E.3.6-A] Each Root Server Operator shall publish documentation that describes key implementation choices (such as the type of DNS software used) to allow interested members of the Internet community to assess the diversity of implementation choices across the system as a whole.
USC/ISI coordinates with other RSOs to insure there is adequate diversity of hardware, software, and operational practice across the 12 root server operator organizations. In particular, we thank Internet Systems Consortium (ISC) for their support of the BIND DNS software.
3.7 Monitoring and Measurement
(Section 3.7 of RSSAC 001)
[E.3.7-A] Each Root Server Operator will adopt or continue to follow best current practices with respect to operational monitoring of elements within their infrastructure.
USC/ISI collects the data described in RSSAC002v3, “RSSAC Advisory on Measurements of the Root Server System” and makes it available for download at https://b.root-servers.org/rssac/.
3.8 Communication
(Section 3.8 of RSSAC 001)
[E.3.8.1-A] Individual Root Server Operators will continue to maintain functional communication channels between each other in order to facilitate coordination and maintain functional working relationships between technical staff.
The USC/ISI root server operations team is reachable as described at the “Contact us” link at https://b.root-servers.org/. The team regularly coordinates with other root server operates through its participation in root-server operations meetings, and the RSSAC.
[E.3.8.1-B] All communications channels are to be tested regularly.
The USC/ISI root server operations team participates in a variety of regular communications with other RSOs, in person and virtual. The team also participates in tests of emergency communications mechanisms.
[E.3.8.2-A] Individual Root Server Operators shall publish administrative and operational contact information to allow users and other interested parties to escalate technical service concerns.
See [E.3.1-A].
Statements on DNS Data Sharing, Operational Principles, Research, Responses, RSSAC001 Compliance