Regional Internet Resolution Service
Connect Verisign’s mission-critical Domain Name System services directly to your internet infrastructure.
Verisign operates a constellation of more than 100 globally distributed internet resolution sites, including both regional resolution
sites and supersites. Verisign’s domain name servers at these resolution sites provide the associated authoritative name servers and
IP addresses for every .com and
.net domain name on the internet and a number of other top-level domain (TLD)
queries.
The Verisign constellation manages an average of more than approximately 275 billion transactions each day. Each supersite is located near large telecommunications interconnection points, where major global internet networks exchange traffic. As the internet continues to grow, Verisign continually reviews its global resolution service presence.
The Regional Internet Resolution Service (RIRS) design builds upon the existing Verisign constellation infrastructure but is smaller in size, is high-performing, and is designed to be deployed as needed around the world.
With the continued increases in average daily traffic at Verisign’s constellation sites and the increased frequency and magnitude of
distributed denial-of-service (DDoS) attacks on the internet, each RIRS is designed to serve four objectives:
- Improve internet performance and user experience by decreasing the transactional latency between a network’s recursive Domain Name System (DNS) servers and Verisign’s critical DNS services.
- Reduce dependencies on Internet Protocol (IP) transit relationships for critical DNS reachability, thereby increasing internet resiliency to DDoS attacks.
- Expand the Verisign DNS constellation to support internet growth.
- Empower networks to make connectivity changes without having to consider the impact on their ability to reach Verisign’s critical DNS services.
The Verisign RIRS is more than just a platform for the resolution of DNS traffic. The simple
architecture enables a RIRS node to be installed in any part of the world, which could bring added flexibility and resiliency to
networks of all types and their customers.
As average daily traffic at Verisign’s constellation sites continues to grow year over year, this RIRS platform enables Verisign to
help meet the demands of that growth while continuing its commitment to maintain operational accuracy and stability for its critical
DNS services.
Technical Requirements
Physical Requirements
- (1) rack unit of space
- (2) 110-240VAC power feeds
- (1) 250W of power
- (1) 1G (fiber-optic or copper) or 10G (fiber-optic-only) connection for production DNS traffic
- (1) 1G (fiber-optic or copper) or 10G (fiber-optic-only) connection for management
Internet Exchange Point Requirements
Connectivity Requirements
IPv4 | IPv6 |
---|---|
The partner must provide two discrete connections (one to the IXP peering LAN for production traffic, and one with full IP transit capabilities for management functions). | The partner must provide two discrete connections (one to the IXP peering LAN for production traffic, and one with full IP transit capabilities for management functions). |
The partner must provide an IPv4 address on the primary IXP peering LAN. | The partner must provide an IPv6 address on the primary IXP peering LAN. |
The partner must provide a /29 for management interface addressing. | The partner must provide a /64 for management interface addressing. |
Verisign will configure a static default route toward the partner router over the management interface. | Verisign will configure a static default route toward the partner router over the management interface. |
Verisign will advertise a subset of prefixes contained within the AS-GTLD IRR object to any peers established over the IX. | Verisign will advertise a subset of prefixes contained within the AS-GTLD IRR object to any peers established over the IX. |
Configuration Requirements
Verisign will peer openly with IXP participants via the production interface.
The hosting IXP must provide full IPv4 or IPv6 (IPv6 desired, but not required) transit via the management interface. The hosting network
will not be expected to run Border Gateway Protocol (BGP) over this interface.
Verisign will configure a static default route toward the hosting network over the management interface. This will be used for system
management operations only. No production DNS traffic will transit this interface.
IP Network Requirements
Connectivity Requirements
IPv4 | IPv6 |
---|---|
The partner must provide two discrete connections (one for production traffic, and one for system management functions, both with full IPv4 transit capabilities). | The partner must provide two discrete connections (one for production traffic, and one for system management functions, both with full IPv6 transit capabilities). |
The partner must provide a /30 (or /31) for the point-to-point (production) interface addressing. | The partner must provide a /126 for the point-to-point (production) interface addressing. |
An eBGP adjacency must be formed between Verisign’s RIRS server and the adjacent partner router across the production interface. | An eBGP adjacency must be formed between Verisign’s RIRS server and the adjacent partner router across the production interface. |
Via eBGP, Verisign will advertise a subset of the prefixes contained within the AS-GTLD IRR object, as well as the /28 noted below. | Via eBGP, Verisign will advertise a subset of the prefixes contained within the AS-GTLD IRR object, as well as the /64 noted below. |
The partner router will advertise a single default route toward Verisign’s RIRS server via eBGP. | The partner router will advertise a single default route toward Verisign’s RIRS server via eBGP. |
The partner must provide a /28 for management services, which Verisign will advertise via the eBGP session mentioned above. | The partner must provide a /64 for management services, which Verisign will advertise via the eBGP session mentioned above. |
The partner must provide a /29 for management interface addressing. Verisign will configure a static default route toward the partner’s router. | The partner must provide a /64 for management interface addressing. Verisign will configure a static default route toward the partner’s router. |
Configuration Requirements
Verisign will run BGP with the hosting network across the production interface.
Verisign will expect to receive a single default route via BGP.
Verisign will configure a static default route toward the hosting network over the management interface. This interface will be used
for system management operations only. No production DNS traffic will transit this interface.
RIRS Node Hosting FAQs
A RIRS node is a server that fits into a standard rack unit of space. It uses BGP to advertise two IPv4 /24s and two IPv6 /48 prefixes:
- 192.33.14.0/24 and 2001:503:231d::/48 (b.gtld-servers.net)
- 192.58.128.0/24 and 2001:503:c27::/48 (j.root-servers.net)
This provides local users fast, unfettered access to two critical DNS services:
- One of the 13 internet root DNS servers
- One of the 13 authoritative DNS servers for .com and .net
A RIRS node provides a single 1RU solution that contains two critical DNS components:
- One of the 13 root DNS servers (j.root-servers.net)
- One of the 13 authoritative DNS servers for .com and .net (b.gtld-servers.net)
This ensures that, during any external connectivity event (e.g., congestion, a DDoS attack, or a circuit outage), the hosting network’s connectivity to these critical DNS services remains uninterrupted. Additionally, users of the hosting network benefit from decreased DNS query latency.
Yes, a hosting agreement and non-disclosure agreement are required. Multiple execution options are available, depending on your country.
No, Verisign currently provides RIRS nodes free of charge, subject to the hosting network meeting our technical and contractual requirements.
Yes. Simply select the “IXP” option when providing technical information in Verisign's RIRS provisioning system.
Yes. We ask that you notify noc@verisign.com prior to doing so but understand that this may not always be possible. In that case, we ask that you notify us as soon as possible after you've disabled the node.
Verisign collects metrics about DNS performance from each node to ensure that it is functioning properly and to optimize the experience for users of the node in question.
Email rirs-help@verisign.com for assistance with decommissioning your RIRS node.