Internet Infrastructure#

Reference of the global internet’s foundational pieces, DNS roots, address allocations (RIRs), exchange points (IXPs), and root certificate authorities. The actors here are the small set that make routing, naming, and trust work end-to-end.

For protocols, see Network Protocols. For the cloud regions on top, see Cloud Regions.

DNS root operators#

Letter / operator

Notes

A Verisign

operates the global “A root” with anycast.

B USC ISI

University of Southern California.

C Cogent

Cogent Communications.

D University of M E NASA Ames

D

F ISC

Internet Systems Consortium.

G US DoD NIC

Defense Information Systems Agency.

H US Army

Aberdeen Proving Ground.

I Netnod J Verisign

Sweden.

K RIPE NCC L ICANN

Netherlands.

M WIDE Project

Japan.

  • All 13 named root servers (A-M) operate as anycast constellations with hundreds of physical instances.

  • Live status: root-servers.org.

Regional Internet Registries (RIRs)#

RIR

Region

ARIN

North America (US, CA, parts of Caribbean).

RIPE NCC

Europe, Middle East, Central Asia.

APNIC

Asia-Pacific.

LACNIC

Latin America + most of Caribbean.

AFRINIC

Africa.

  • IPv4 / IPv6 / ASN allocation; WHOIS + RDAP.

  • IPv4 free pools exhausted (2011-2017 by region); IPv4 transfers + brokers are the modern reality.

National / Local Internet Registries (NIRs)#

NIR

Country

APJII

Indonesia (under APNIC).

CNNIC

China (under APNIC).

IRINN

India (under APNIC).

JPNIC

Japan (under APNIC).

KRNIC / KISA

Korea (under APNIC).

TWNIC

Taiwan (under APNIC).

VNNIC

Vietnam (under APNIC).

NIC.AR

Argentina.

NIC.BR

Brazil.

NIC.MX

Mexico.

Major Internet Exchange Points (IXPs)#

IXP

Notes

DE-CIX (Frankfurt)

one of the largest in the world; ~1000+ networks; multiple sites (FRA, HAM, MUC, NYC, DFW, MUM, ICN, MEX, LIS, …).

AMS-IX (Amsterdam)

one of the largest; multi-site.

LINX (London) France-IX (Paris) MSK-IX (Moscow) MIX (Milan) NIX.CZ (Prague)

LON1 / LON2 / Manchester / Cardiff / Edinburgh.

NL-ix (Netherlands)

multi-EU footprint.

Equinix IBX exchang

es (NY, SV, LA, MIA, CHI, DC, ASH, LHR, FRA, AMS, SG, HKG, TYO, NRT, SYD, …).

DRPeering / Megapor NYIIX (New York) PA-IX (Palo Alto) SIX Seattle JPNAP (Tokyo) JPIX (Tokyo) HKIX (Hong Kong) SGIX (Singapore) BBIX (Tokyo) KIX (Korea)

t (multi-cloud + IXP overlay).

PIT (Brazil sao pau NIXI (India)

lo), IX.br is the largest by participant count globally.

CIX (China; closed JINX (Johannesburg)

peering).

NAPAfrica (JNB / CP

T / KIX-LOS)

Tier-1 transit networks#

Operator

Notes

Lumen / CenturyLink

AS3356 (Level 3 lineage); largest by AS path count.

Telia Carrier

AS1299; renamed Arelion 2021.

NTT Communications

AS2914.

Tata Communications

AS6453.

GTT Communications

AS3257.

Sprint / T-Mobile

AS1239.

Cogent Comms.

AS174.

Zayo Group

AS6461.

Telecom Italia (TI)

AS6762.

Telxius (Telefónica

) AS12956.

Orange (FR)

AS5511.

PCCW Global

AS3491.

TeliaSonera Int.

AS1299 (Arelion).

Hurricane Electric

AS6939; debated tier-1 status; not paid-peering with all.

Top Cloud / CDN backbones#

Operator

Notes

Google

AS15169; massive private backbone (Jupiter, B4).

Cloudflare

AS13335; one of the largest at edge POP count.

Microsoft

AS8075; Azure backbone.

Amazon

AS16509; AWS Global Accelerator.

Akamai

AS20940 (others); CDN ancestor.

Fastly

AS54113.

Netflix

AS2906; Open Connect.

Meta

AS32934; Facebook private backbone.

Apple

AS714.

Top-Level Domains#

TLD class

Notes

gTLDs (legacy)

.com, .org, .net, .edu, .gov, .mil, .int.

new gTLDs

.app, .dev, .cloud, .tech, .io (per ccTLD), ~1500 since 2014.

ccTLDs

~250 ISO 3166 alpha-2 codes (.us, .uk, .de, .jp, .cn, .br, .in, …). Some operate openly (.io, .ai, .tv, .me), others restrict registration to nationals.

sTLDs

.museum, .aero, .coop, .jobs, .xxx (sponsored).

gIDN

internationalised gTLDs (Punycode).

ARPA

administrative; in-addr.arpa, ip6.arpa for reverse DNS.

Root CAs (browser / OS roots)#

Program

Notes

Mozilla NSS

the de-facto root program; used by Firefox, Thunderbird, curl (default), most Linux distros.

Microsoft Trusted Root Program

Windows / Edge.

Apple Trust Store

macOS / iOS / Safari.

Google Chrome Root

separate (since 2023).

Adobe Approved

PDF signing.

Java Cacerts

JDK-shipped store.

Android (AOSP)

per device + per app.

Major commercial CAs#

  • DigiCert (incl. Symantec / GeoTrust / Thawte / RapidSSL legacy).

  • Sectigo (formerly Comodo).

  • GlobalSign.

  • Entrust.

  • IdenTrust.

  • GoDaddy.

  • Network Solutions.

  • SwissSign.

  • TrustWave / Trustico.

  • Microsoft (internal + commercial).

Free / automated#

  • Let’s Encrypt (ISRG); ACME.

  • ZeroSSL.

  • Buypass.

  • Google Trust Services (also free ACME).

  • Amazon Trust Services (free for AWS resources).

CT logs#

Log

Operator

Argon, Xenon (Googl

  1. Google.

Sabre, Mammoth

Sectigo.

Yeti, Nessie

DigiCert.

Nimbus, Cirrus

Cloudflare.

Oak

Let’s Encrypt.

RPKI (resource certification)#

Concept

Notes

RPKI

Resource Public Key Infrastructure; signs IP / ASN assignments; basis for BGP origin validation.

ROA

Route Origin Authorization; “AS X may originate prefix Y”.

TAL

Trust Anchor Locator; one per RIR.

RTR protocol

relay validated state to routers.

Internet governance#

Body

Notes

ICANN

coordinates DNS, IP, ASNs.

IANA

operational arm; PTI subsidiary of ICANN.

IETF

technical standards (RFCs).

IAB

architectural oversight (Internet Architecture Board).

IRTF

research arm.

RIPE / APNIC / ARIN

/ LACNIC / AFRINIC, RIRs.

ITU-T

UN body; pre-ICANN history.

W3C

web standards.

WHATWG

“living standard” web specs.

NRO

Number Resource Organization; collective of RIRs.

Operator notes#

  • Anycast everywhere, root DNS, public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9), CDNs, IXPs all use anycast routing for edge proximity + DDoS absorption.

  • AS lookup, bgpview.io, bgp.tools, Hurricane Electric bgp.he.net, RIPEstat, IRR / IRRdb databases.

  • PeeringDB, the standard source for cross-network contact + facility / IX presence data.

  • WHOIS has been progressively replaced by RDAP since 2019.

  • DNSSEC root key roll, KSK-2017 first roll in 2018; future rolls every 5-7 years.

  • BGP hijacks, detected by RPKI invalid + monitoring (BGPmon, Cisco Crosswork, Cloudflare Radar, ThousandEyes).

  • Sub-sea cables, 600+ cables landing at 1300+ landing stations; the substrate underneath all the rest.

References#