U.S. Army DEVCOM Army Research Laboratory Statement of Compliance with RSSAC001
The U.S. Army DEVCOM Army Research Laboratory (ARL) is committed to serve the DNS root zone securely and reliably as one of the Internet's root server operators (RSOs). This document serves to demonstrate our compliance with the expectations of an RSO as described in RSSAC001.
[E.3.1-A] Individual
Root Server Operators are to publish or continue to publish
operationally relevant
details of their infrastructure, including service-delivery
locations, addressing
information and routing (e.g., origin autonomous system)
information.
This information is
published and updated accordingly at https://www.root-servers.org.
[E.3.1-B] Individual
Root Servers will deliver the service in conformance to IETF
standards and
requirements as described in RFC 7720 and any other IETF
standards-defined
Internet Protocol as deemed appropriate
The operation of the
ARL root name servers complies with RFC 7720 and other relevant IETF standard
protocols.
[E.3.2-A] Individual
Root Servers will adopt or continue to implement the current
DNS protocol and
associated best practices through appropriate software and
infrastructure choices.
The operation of the
ARL root name servers complies with current DNS protocol and associated best
practices by using appropriate software and hardware.
[E.3.2-B] Individual
Root Servers will serve accurate and current revisions of the
root zone.
The ARL root name
servers publish the root zone as provided by the Root Zone Maintainer
(RZM). New versions of the zone are
loaded and served as soon as notification and zone transfer complete.
[E.3.2-C] Individual
Root Servers will continue to provide 'loosely coherent' service
across their infrastructure.
The ARL root name
server instances all receive notifications directly from the RZM and attempt to
transfer/load the zone immediately upon receipt of said notification. Notification, zone transfer, and load times
vary slightly among instances, thus providing a 'loosely coherent' service
across our infrastructure.
[E.3.2-D] All Root
Servers will continue to serve precise, accurate zones as
distributed from the
Root Zone Maintainer.
The ARL root name
server instances ensure the integrity of zone data received from the RZM using
the TSIG protocol (RFC 6895) with best practices for key management. ARL will only serve unmodified contents of
zone data received from the RZM.
[E.3.3-A] Individual
Root Servers are to be deployed such that planned maintenance
on individual
infrastructure elements is possible without any measurable loss of
service availability.
Planned maintenance is scheduled
such that the maximum number of instances are always available. BGP announcements are withdrawn for instances
that are temporarily unavailable for maintenance.
[E.3.3-B]
Infrastructure used to deploy individual Root Servers is to be significantly
redundant, such that
unplanned failures in individual components do not cause the
corresponding service
to become generally unavailable to the Internet.
ARL operates several
anycast instances of its service around the world. Unplanned failures will not cause the service
to become generally unavailable to the Internet.
[E.3.3-C] Each root
server operator shall publish documentation that describes the
operator's commitment
to service availability through maintenance scheduling and
notification of
relevant operational events.
ARL makes announcements
prior to planned maintenance to any of its service infrastructure.
[E.3.4-A] Individual
Root Server Operators will make all reasonable efforts to
ensure that sufficient
capacity exists in their deployed infrastructure to allow for
substantial flash
crowds or denial of service (DoS) attacks.
Significant
over-provisioning of network and compute capabilities have been deployed in the
ARL root server infrastructure. Rate
limiting and denial-of-service mitigations are in place.
[E.3.4-B] Each Root
Server Operator shall publish documentation on the capacity of
their infrastructure,
including details of current steady-state load and the maximum
estimated capacity
available.
ARL does not publish
data on the capacity of its infrastructure.
Current steady-state load data is published via RSSAC002 statistics.
[E.3.5-A] Individual
Root Server Operators will adopt or continue to follow best
practices with regard to operational security in the operation of
their infrastructure.
ARL follows current
best practices for operational security of critical systems on its root server
infrastructure.
[E.3.5-B] Root Server
Operators shall publish high-level business continuity plans
with respect to their
Root Server infrastructure.
The root server
infrastructure at ARL is deemed 'critical infrastructure' and its operation
will not be affected by organizational stoppages. Operational personnel are considered critical
as well and are available to perform their required duties at
all times.
[E.3.6-A] Each Root
Server Operator shall publish documentation that describes
key implementation
choices (such as the type of DNS software used) to allow
interested members of
the Internet community to assess the diversity of
implementation choices
across the system as a whole.
ARL uses NSD software
on Linux systems across its root server infrastructure. As new versions of software and OS components
are released, software is tested and deployed following best practices for
secure systems. Diversity of resolver
software among the infrastructure will be considered for future expansion.
[E.3.7-A] Each Root
Server Operator will adopt or continue to follow best current
practices with respect
to operational monitoring of elements within their
infrastructure.
The ARL root server
infrastructure uses redundant monitoring systems to enable low-latency
alerting of potential service issues.
Logs are analyzed for trends that might affect the stability of the
service.
[E.3.7-B] Each Root
Server Operator will adopt or continue to perform
measurements of query
traffic received and shall publish statistics based on those
measurements.
ARL publishes
statistics on query traffic in compliance with RSSAC002 at
https://h.root-servers.org/rssac.html
[E.3.8.1-A] Individual Root
Server Operators will continue to maintain functional
communication channels
between each other in order to facilitate coordination
and
maintain functional
working relationships between technical staff.
ARL participates in the
root server community and is connected to common emergency communication
channels.
[E.3.8.1-B] All
communications channels are to be tested regularly.
Emergency channels are
tested and verified at recurring RSO technical meetings.
[E.3.8.2-A] Individual
Root Server Operators shall publish administrative and
operational contact
information to allow users and other interested parties to
escalate technical service concerns.
Contact information for the ARL root server team is available at https://h.root-servers.org and hroot@arl.army.mil.