Our system, as requested, comes with dual power supplies, to both protect against the failure of a power supply and protect the system as a whole. ISC requires that each PSU be fed from a different power source that does not share a common breaker — and that each breaker have enough overhead available that it can handle the entire load of the system at full power. ISC will set CPU throttling options as possible on the node if at all possible.
Physical Security Requirements
Because F-Root is a “small” service, it is not uncommon for the system to live with other “core” equipment, often close to an Exchange switch, rather than in customer colocation space. While ISC attempts to tamper-proof our systems as much as possible, we strongly recommend that F-Root nodes not be placed in shared colocation facilities where the general customer pool has access to the machine.
Network Connections (Physical and IP Requirements)
All F-Root servers offer IPv4 and IPv6 service, and we require that the management and exchange connections be dual-stack. (The connection for the remote management card can be v4-only, if need be.) ISC requires several subnets/connections of provided IP address space for each F-Root node:
A single IPv4 address, with a static default route, to be used for the Drac (this is a copper-only 10/100 connection). If you have a router that is capable of placing a simple ACL, we can provide an IP block to restrict from during initial setup, but this is not strictly necessary.
A transit link with a /28 of IPv4 address space for management of the various systems functions, and a /64 of IPv6, with a BGP session originating a default route. By default, we expect this to be a gigabit copper connection.
A connection with a single IPv4 and IPv6 peering IP address for your Internet exchange. This connection can be fiber or copper. Dual-Stack IPv6 (as well as IPv4) is a hard requirement.
The standard F-Root server has SFP+ optics, and thus is configured for connection at 10G, or at 1G if compatible down-clocking SFP+ optics are used (regular 1GE SFP optics will not work). If your exchange supports copper gigabit ethernet and your planned location for the system is within the length requirements mandated by the ethernet specification, this is also workable without needing a special optic.
F-Root nodes require reliable upstream bandwidth, for the ability to transfer the root zone from our distribution primaries, as well as monitoring and provisioning. Additionally, there are regular (several times annually) coordinated exercises across all F-Root nodes wherein all DNS data is captured and uploaded to a location off-site; reliability is essential for this task. (99.9 percent uptime is required.)
Because routing is asymmetric, an F-Root node’s prefix may be advertised to clients which themselves do not advertise a return route via the same protocol; thus, there is the expectation that there will be a fairly regular stream of DNS responses returning back over the management transit connection to the Internet at large. No attempt must be made to limit or restrict these, although ISC can provide a list of IP addresses from which these packets will originate.
Network Neutrality and Firewalling
ISC requires that the traffic going to/from an F-Root server not be modified in transit or interfered with in any way, including but not limited to: TCP/UDP Port Blocking, Rate Limiting (except as provided by physical interface requirements), modification of DNS queries or responses in-transit, or limitations on which clients may be served by an F-Root node.
Communications and Remote Hands
ISC requires your organization to provide Administrative, Technical, and Abuse contacts. We require as much advance notice as possible for service-affecting maintenance issues.
BGP Route-Server Preferred (IX sites)
If you are an Internet Exchange, ISC strongly recommends that your organization have a route server available and that our node peer with the route server, so that anyone who wants to gain the benefits of F-Root need only peer with the route server. In non-route server scenarios, ISC advertises the F-Root prefixes with the well-known BGP Community NO_EXPORT (65535:65281). With a route server present, the route must still be advertised to peers with this community set, but route servers present additional challenges. Your route server must either be configured specifically to “overlook” the NO_EXPORT community but re-apply it when advertising it to other peers, or provide a community whereby ISC may signal that this community must be applied to the routes.
ISC will provide instructions for network configuration and for BGP configuration of the name service interface. We will finish the configuration and bring it online remotely. Our servers expect to peer with RS (Route Server) devices, but under special circumstances we can do individual peering with clients that do not use the route server.