November 19, 2015

Verisign provides critical Internet infrastructure for users world-wide. Not only does Verisign operate two of the Internet’s 13 root name servers, we also operate the name servers that resolve the .com and .net top level domains. If you use global Domain Name System (DNS) then you are probably relying on Verisign’s infrastructure.

The Verisign .com and .net name servers answer 111 billion queries per second, and at times, much higher loads during high traffic events or due to high bandwidth Distributed Denial of Service (DDOS) attacks. These name servers are deployed at about 80 locations around the globe to ensure that no matter where you are, you can get DNS responses with low latency and high reliability.

One of the ways we ensure resilient DNS service is through the use of diverse operating systems. FreeBSD comprises a significant portion of the mix of operating systems that serve the root zone, and the .com and .net zones. Multiple operating systems are just one component of a layered design that incorporates redundancy and diversity across the system’s architecture.

When we decided to change the mix of operating systems we conducted a thorough survey of the alternatives. After reviewing all of these operating systems, FreeBSD was selected for the .com and .net and root name servers based primarily on six considerations:

  1.  System Code Diversity: The BSD kernel and network stack is sufficiently diverse from the Linux kernel and network stack to provide mitigation against zero-day exploits. We reviewed the source code, as well as the development philosophy used by the FreeBSD developers.
  2. Network Performance: FreeBSD provides performance for the name server workloads that are similar to Linux. It is encouraging to see the continued awareness and effort put into improving network performance on FreeBSD.
  3. Hardware Support: Verisign regularly refreshes the hardware that comprises our name server footprint. FreeBSD is typically available for the commodity server hardware that Verisign chooses during a hardware refresh cycle. It is important to know that there will be reasonably short latency between the introduction of new server hardware and support for that hardware in FreeBSD.
  4. Demonstrated History of Reliability: FreeBSD’s reputation as a reliable server was a critical factor for us. The services hosted on FreeBSD have very high availability requirements, and along with FreeBSD’s track record of rock solid operation directly addresses this criteria.
  5. Demonstrated History of Secure Operation: The FreeBSD development community has a long track record of taking security seriously. When vulnerabilities are discovered, we typically see rapid disclosure and patches available almost immediately.
  6. Licensing: The attention that the community pays to providing quality open source, without encumbering its use, is important to Verisign.

One of the many ways Verisign “gives back” to the community is through the biennial vBSDcon conference. The conference is typically scheduled for a weekend in the October/November time frame; previous conferences were held in 2013 and 2015.

Since making the change to FreeBSD, we have been pleased to see it live up to our expectations. The FreeBSD development community should be proud to have critical Internet infrastructure served on FreeBSD; their hard work makes the Internet safer and more reliable. Verisign is proud to participate in the FreeBSD development community and to have employees who contribute work back to FreeBSD as well.

– Glen Wiley, Principal Engineer, Verisign, Inc.