Hosting an F Root Node

Technical Requirements

Technical Specifications

Power Requirements

Our system, as requested, comes with dual power supplies, both to protect the failure of a power supply, as well as to protect the system as a whole. ISC requires that each PSU be fed from a different power source that do not share a common breaker — and that each breaker have enough overhead available that they can handle the entire load of the system, at full-power. ISC will set CPU throttling options as possible on the node if at all possible.

Physical Security Requirements

Because F Root is a “small” service, it is not uncommon for the system to live with other “core” equipment, often close to an Exchange switch, rather than in customer colocation space. While ISC attempts to tamper-proof our systems as much as possible, ISC strongly recommends that F-root nodes not be placed in shared colocation facilities, where the general customer pool has access to the machine.

Network Connections (Physical and IP Requirements)

All F-Root servers offer IPv4 and IPv6 service, and we require that the management and exchange connection are dual-stack. (The connection for the remote management card can be v4-only, if need be). ISC requires several subnets/connections of provided IP address space for each F-Root node:

  1. A single IPv4 address, with a default route, to be used for the Drac (this is a copper-only 10/100 connection). If you have a router that is capable of placing a simple ACL, we can provide an IP block to restrict from during initial setup, but this is not strictly necessary.
  2. A /28 of IPv4 address space for management of the various systems functions, and a /64 of ipv6. By default, we expect this to be a gigabit copper connection.
  3. A connection with a single ipv4 and ipv6 peering IP addresses for your internet exchange. This connection can be fiber or copper. Dual-Stack IPv6 as well as IPv4) is a hard requirement.

The standard F-Root server has SFP+ optics, and thus is configured for connection only at 10G, but there are optics available which allow for a connection to a 1G Fiber connection as well. (These are special SFP+ optics that can down-clock, regular SFP+ optics will not work). If your exchange supports copper gigabit ethernet and your planned location for the system is within the length requirements mandated by the ethernet specification, this is also workable without needing a special optic.

Bandwidth Requirements

F-Root nodes require reliable upstream bandwidth, for the ability to transfer the root zone from our distribution masters, as well as monitoring, and provisioning. Additionally, there are regular (several times annually) coordinated exercises across all F-root nodes wherein the capture of all DNS data is done, and uploaded to a location off-site, and this must be capable of happening in a reliable manner. (99.9 percent uptime is required).

URPF Requirements

Because routing is asymmetric, an F-root node’s prefix may be advertised to clients which themselves do not advertise a return route via the same protocol — thus, there is the expectation that there will be a fairly regular stream DNS responses returning back over the management connection to the internet at large. No attempt must be made to limit or restrict these, although ISC can provide a list of ip addresses from which these packets will originate.

Network Neutrality

ISC requires that the traffic going to/from an F-root server not be modified in transit or interfered with in any way, including but not limited to: TCP/UDP Port Blocking, Rate Limiting (except as provided by physical interface requirements), modification of DNS queries or responses in-transit, or limitations on which clients may be served by an F-root node.

Communications and Remote Hands

ISC requires that we have Administrative, Technical, and Abuse contacts available for your organization.

 We require as much advance notice as possible for service-affecting maintenance issues.

ISC Strongly recommends that your staff subscribe to our low-volume mailing list for announcements and service changes.

BGP Route-Server preferred

ISC Strongly recommends that your organization have a route-server available, and that our node peer with the route-server, such that anyone who wants to gain the benefits of F Root need only peer with the route server.

 In non-route server scenarios, ISC Advertises the F-root prefixes with the well-known BGP Community NO_EXPORT (65535:65281). With a route-server present, the route must still be advertised to peers with this community set, but route servers present additional challenges. Your route server must either be configured specifically to “overlook” the NO_EXPORT community, but re-apply it when advertising it to other peers, or must provide a community whereby ISC may signal that this community must be applied to the routes.
ISC will provide instructions for network configuration and for BGP configuration of the name service interface. All F-Root servers offer IPv4 and IPv6 service, and we require that the management and exchange connection are dual-stack. (The connection for the remote management card can be v4-only, if need be). When this is done, we will finish the configuration and bring it online remotely. Our servers expect to peer with RS (Route Server) devices but under special circumstances can do individual peering with clients that do not use the route server.

 

Last modified: November 3, 2016 at 10:52 am