U.S. Army DEVCOM Army Research Laboratory Statement of Compliance with RSSAC001

 

The U.S. Army DEVCOM Army Research Laboratory (ARL) is committed to serve the DNS root zone securely and reliably as one of the Internet's root server operators (RSOs). This document serves to demonstrate our compliance with the expectations of an RSO as described in RSSAC001.

 

[E.3.1-A] Individual Root Server Operators are to publish or continue to publish

operationally relevant details of their infrastructure, including service-delivery

locations, addressing information and routing (e.g., origin autonomous system)

information.

 

This information is published and updated accordingly at https://www.root-servers.org.

 

[E.3.1-B] Individual Root Servers will deliver the service in conformance to IETF

standards and requirements as described in RFC 7720 and any other IETF

standards-defined Internet Protocol as deemed appropriate

 

The operation of the ARL root name servers complies with RFC 7720 and other relevant IETF standard protocols.

 

[E.3.2-A] Individual Root Servers will adopt or continue to implement the current

DNS protocol and associated best practices through appropriate software and

infrastructure choices.

 

The operation of the ARL root name servers complies with current DNS protocol and associated best practices by using appropriate software and hardware.

 

[E.3.2-B] Individual Root Servers will serve accurate and current revisions of the

root zone.

 

The ARL root name servers publish the root zone as provided by the Root Zone Maintainer (RZM). New versions of the zone are loaded and served as soon as notification and zone transfer complete.

 

[E.3.2-C] Individual Root Servers will continue to provide 'loosely coherent' service

across their infrastructure.

 

The ARL root name server instances all receive notifications directly from the RZM and attempt to transfer/load the zone immediately upon receipt of said notification. Notification, zone transfer, and load times vary slightly among instances, thus providing a 'loosely coherent' service across our infrastructure.

 

[E.3.2-D] All Root Servers will continue to serve precise, accurate zones as

distributed from the Root Zone Maintainer.

 

The ARL root name server instances ensure the integrity of zone data received from the RZM using the TSIG protocol (RFC 6895) with best practices for key management. ARL will only serve unmodified contents of zone data received from the RZM.

 

[E.3.3-A] Individual Root Servers are to be deployed such that planned maintenance

on individual infrastructure elements is possible without any measurable loss of

service availability.

 

Planned maintenance is scheduled such that the maximum number of instances are always available. BGP announcements are withdrawn for instances that are temporarily unavailable for maintenance.

 

[E.3.3-B] Infrastructure used to deploy individual Root Servers is to be significantly

redundant, such that unplanned failures in individual components do not cause the

corresponding service to become generally unavailable to the Internet.

 

ARL operates several anycast instances of its service around the world. Unplanned failures will not cause the service to become generally unavailable to the Internet.

 

[E.3.3-C] Each root server operator shall publish documentation that describes the

operator's commitment to service availability through maintenance scheduling and

notification of relevant operational events.

 

ARL makes announcements prior to planned maintenance to any of its service infrastructure.

 

[E.3.4-A] Individual Root Server Operators will make all reasonable efforts to

ensure that sufficient capacity exists in their deployed infrastructure to allow for

substantial flash crowds or denial of service (DoS) attacks.

 

Significant over-provisioning of network and compute capabilities have been deployed in the ARL root server infrastructure. Rate limiting and denial-of-service mitigations are in place.

 

[E.3.4-B] Each Root Server Operator shall publish documentation on the capacity of

their infrastructure, including details of current steady-state load and the maximum

estimated capacity available.

 

ARL does not publish data on the capacity of its infrastructure. Current steady-state load data is published via RSSAC002 statistics.

 

[E.3.5-A] Individual Root Server Operators will adopt or continue to follow best

practices with regard to operational security in the operation of their infrastructure.

 

 

ARL follows current best practices for operational security of critical systems on its root server infrastructure.

 

[E.3.5-B] Root Server Operators shall publish high-level business continuity plans

with respect to their Root Server infrastructure.

 

The root server infrastructure at ARL is deemed 'critical infrastructure' and its operation will not be affected by organizational stoppages. Operational personnel are considered critical as well and are available to perform their required duties at all times.

 

[E.3.6-A] Each Root Server Operator shall publish documentation that describes

key implementation choices (such as the type of DNS software used) to allow

interested members of the Internet community to assess the diversity of

implementation choices across the system as a whole.

 

ARL uses NSD software on Linux systems across its root server infrastructure. As new versions of software and OS components are released, software is tested and deployed following best practices for secure systems. Diversity of resolver software among the infrastructure will be considered for future expansion.

 

[E.3.7-A] Each Root Server Operator will adopt or continue to follow best current

practices with respect to operational monitoring of elements within their

infrastructure.

 

The ARL root server infrastructure uses redundant monitoring systems to enable low-latency alerting of potential service issues. Logs are analyzed for trends that might affect the stability of the service.

 

[E.3.7-B] Each Root Server Operator will adopt or continue to perform

measurements of query traffic received and shall publish statistics based on those

measurements.

 

ARL publishes statistics on query traffic in compliance with RSSAC002 at

 

https://h.root-servers.org/rssac.html

 

[E.3.8.1-A] Individual Root Server Operators will continue to maintain functional

communication channels between each other in order to facilitate coordination and

maintain functional working relationships between technical staff.

 

ARL participates in the root server community and is connected to common emergency communication channels.

 

[E.3.8.1-B] All communications channels are to be tested regularly.

 

Emergency channels are tested and verified at recurring RSO technical meetings.

 

[E.3.8.2-A] Individual Root Server Operators shall publish administrative and

operational contact information to allow users and other interested parties to

escalate technical service concerns.

 

Contact information for the ARL root server team is available at https://h.root-servers.org and hroot@arl.army.mil.