Yeti DNS Project
--A Live Root DNS Server System Testbed

How to Join Yeti

Please contact if you wish to ask question and receive latest update in the Yeti project.

Below are details about the different ways of joining the effort.

1. Joining Yeti as a Yeti Root Server Operator

To run a Yeti root server, you need a server with good IPv6 Internet access, and a dedicated domain name of the root server which is configured as a slave to the Yeti distribution masters (DM). There are a few steps to join Yeti as a Yeti root server operator.

Step 1: Application

Please send a mail to with your basic contact information, short introduction or a short declaration to join Yeti Project as a volunteer authority server. Most importantly send a domain name and IPv6 address of the new root server which is to be added into the apex NS RRset of our root zone.

Note that even though we publish strictly IANA information for TLD data and metadata, it’s necessary for us to replace the apex NS RRset. Once we verify that your server is operational we will add it to the apex NS RRset, and we will add you and your designated colleagues to the mailing list.

Step 2: Root server setup

The root server must provide DNS service only over IPv6. No A record and no answer when queried over IPv4.

ACLs are in place on some of the distribution masters so you need to request a hole for your server’s IPv6 address (send an email to Test with `dig @$DistributionMaster AXFR .’ to see if you can do a zone transfer. You may have to add ‘-b $ServiceIPaddress’ if your machine is multihomed.

Configure the root server as a slave to the Yeti DM. You can add the following to the configuration file of your root server.

masters yeti-dm {
        240c:f:1:22::7;          # bii
        2001:200:1d9::53;        # wide
        2001:4f8:3:1006::1:5;    # tisf
    name: "."
    request-xfr: 240c:f:1:22::7 NOKEY
    request-xfr: 2001:200:1d9::53 NOKEY
    request-xfr: 2001:4f8:3:1006::1:5 NOKEY
    allow-notify: 240c:f:1:22::7 NOKEY
    allow-notify: 2001:200:1d9::53 NOKEY
    allow-notify: 2001:4f8:3:1006::1:5 NOKEY
- id: yeti-dm-bii
  address: 240c:f:1:22::7
- id: yeti-dm-wide
  address: 2001:200:1d9::53
- id: yeti-dm-tisf
  address: 2001:4f8:3:1006::1:5
- id: yeti-notify-bii
  address: 240c:f:1:22::7
  action: notify
- id: yeti-notify-wide
  address: 2001:200:1d9::53
  action: notify
- id: yeti-notify-tisf
  address: 2001:4f8:3:1006::1:5
  action: notify
- domain: "."
  file: ""
  master: [ yeti-dm-bii, yeti-dm-wide, yeti-dm-tisf ]
  acl: [ yeti-notify-bii, yeti-notify-wide, yeti-notify-tisf ]

Afterward, please send a mail to coordinators mailing list to notify that it is done.

Step 3: Monitoring system setup

For the purpose of experiment and measurement study,we require each root server operator to capture DNS packet on DNS servers and save as pcap file, then send to our storage server. Regarding the data sharing issue, please turn to the data sharing document of YETI Project.

Setup and join the YETI monitoring system . This script submits DNS packet via SSH. Note that it uses SSH public key authentication, so user should provide SSH public key via mail to the coordinators (note that currently support DSA and RSA and ECC).

2. Joining Yeti as a Resolver Operator

We encourage people running resolvers to join the project. These should be used for real-world queries, but for informed users in non-critical environments.

To join the Yeti project as a resolver operator, you need to have a working DNS resolver with IPv6 support. You need to update your “hints” file to use the Yeti root servers instead of the IANA root servers. The current “hints” file can be found here:

And the DNSSEC key is:

Warning: the DNSSEC key of the Yeti root (the KSK) changes often (typically every three months). You must therefore configure your resolver to use RFC 5011 automatic update or be ready to make many changes manually.

In the purpose of some experiment, we need information and feedback from client side, so we encourage resolver operator to register it mail address for technical assistance, Yeti testbed changes or experiments coordination. If you setup your recursive server linked with Yeti root server, please contact

Configuration of the resolver:

    root-hints: "yeti-hints"
    # Check the file is writable by Unbound
    auto-trust-anchor-file: autokey/yeti-key.key
zone "." {
   type hint;
   file "/etc/bind/yeti-hints";
managed-keys {
   "." initial-key 257 3 8 "AwEAAbA0lBT1aDxwoNl7d/fXqFFBtL+VwBLqgOYHgAqrnvhRvHs+GrTW ZZ5gZu/0NeX4YGXmovT1nGpY/9oi30pDvbzPluQXOKSVP/xr1KyLPp8p
                            xiVqGe973F55fX4iQOUMB2n2VXfIxSryTNYPz44Zltpa10WAVYzHpy3o xx0qZSeDsdPHMNB7Ym0hBMY92cifWyQWifHbcgbFGf2mpwF00vALl92q 
                            hnvIORVZC/ihNNd7DvQtMLdUvSoQ0woC/EhqexXQv0bLlPkG55d37Joa VbWCEnWLZ+CT+Eei5U4VCqH+xCEvOjT45ZQt0kfB3K4bwfh6D5EBleJ1

In the BIND example, the text between quotes is the key, from

-- -*- mode: lua -*-
-- Knot uses a specific format for the hints so we cannot use the official hints file.
modules = {
   'hints' -- Add other modules, if necessary
      [''] = '240c:f:1:22::6',
      [''] = '2001:4f8:3:1006::1:4',
      [''] = '2001:200:1d9::35',
      [''] = '2a02:cdc5:9715:0:185:5:203:53',
      [''] = '2001:4b98:dc2:45:216:3eff:fe4b:8c5b',
      [''] = '2a02:2810:0:405::250',
      [''] = '2001:6d0:6d06::53',
      [''] = '2a01:4f8:161:6106:1::10',
      [''] = '2001:e30:1c1e:1::333',
      [''] = '2001:1608:10:167:32e::53',
      [''] = '2604:6600:2000:11::4854:a010',
      [''] = '2a02:ec0:200::1',
      [''] = '2001:67c:217c:6::2',
      [''] = '2001:620:0:ff::29',
      [''] = '2001:1398:1:21::8001',
      [''] = '2001:da8:a3:a027::6',
      [''] = '2001:da8:268:4200::6',
      [''] = '2400:a980:30ff::6',
      [''] = '2401:c900:1401:3b:c::6',
      [''] = '2c0f:f530::6',
      [''] = '2001:e30:187d::333',
      ['xn--r2bi1c.xn--h2bv6c0a.xn--h2brj9c.'] = '2001:e30:1c1e:10::333',
      [''] = '2001:19f0:0:1133::53',
      [''] = '2a02:990:100:b01::53:0',
      [''] = '2a00:e50:f15c:1000::1:53'

yeti-root.key is the official root key file, from

TODO: The above should work with RFC 5011 but let’s test

3. Joining Yeti as a Researcher

Researchers are encouraged to join the Yeti discussion list:

Potential experiments or analysis can be discussed there. Confidential inquiries can be sent to