Yeti DNS
Yeti DNS Project Phase-2
--A Live IPv6-only Root DNS Server System Testbed
Introduction
Events & Announcements
Yeti Root Zone
Documents & Resource
Operators and Participants
Statistics
Monitoring
Acknowledgement
Yeti Blog
Join us
About us
FAQ
How to Join Yeti
Please contact discuss@lists.yeti-dns.org if you wish to ask question and receive latest update in the Yeti project.
Below are details about the different ways of joining the effort.
1. Joining Yeti as a Yeti Root Server Operator
To run a Yeti root server, you need a server with good IPv6 Internet access, and a dedicated domain name of the root server which is configured as a slave to the Yeti distribution masters (DM). There are a few steps to join Yeti as a Yeti root server operator.
Step 1: Application
Please send a mail to coordinators@lists.yeti-dns.org with your basic contact information, short introduction or a short declaration to join Yeti Project as a volunteer authority server. Most importantly send a domain name and IPv6 address of the new root server which is to be added into the apex NS RRset of our root zone.
Note that even though we publish strictly IANA information for TLD data and metadata, it’s necessary for us to replace the apex NS RRset. Once we verify that your server is operational we will add it to the apex NS RRset, and we will add you and your designated colleagues to the operators@lists.yeti-dns.org mailing list.
Step 2: Root server setup
The root server must provide DNS service only over IPv6. No A record and no answer when queried over IPv4.
ACLs are in place on some of the distribution masters so you need
to request a hole for your server’s IPv6 address (send an email to
coordinators@lists.yeti-dns.org. Test with `dig @$DistributionMaster
AXFR .’ to see if you can do a zone transfer. You may have to add
‘-b $ServiceIPaddress’ if your machine is multihomed.
Configure the root server as a slave to the Yeti DM. You can add the following to the configuration file of your root server.
BIND:
masters yeti-dm {
240c:f:1:22::7; # bii
2001:200:1d9::53; # wide
2001:4f8:3:1006::1:5; # tisf
};
NSD:
zone:
name: "."
# BII
request-xfr: 240c:f:1:22::7 NOKEY
# WIDE
request-xfr: 2001:200:1d9::53 NOKEY
# TISF
request-xfr: 2001:4f8:3:1006::1:5 NOKEY
allow-notify: 240c:f:1:22::7 NOKEY
allow-notify: 2001:200:1d9::53 NOKEY
allow-notify: 2001:4f8:3:1006::1:5 NOKEY
Knot:
remote:
- id: yeti-dm-bii
address: 240c:f:1:22::7
- id: yeti-dm-wide
address: 2001:200:1d9::53
- id: yeti-dm-tisf
address: 2001:4f8:3:1006::1:5
acl:
- id: yeti-notify-bii
address: 240c:f:1:22::7
action: notify
- id: yeti-notify-wide
address: 2001:200:1d9::53
action: notify
- id: yeti-notify-tisf
address: 2001:4f8:3:1006::1:5
action: notify
zone:
- domain: "."
file: "root.zone"
master: [ yeti-dm-bii, yeti-dm-wide, yeti-dm-tisf ]
acl: [ yeti-notify-bii, yeti-notify-wide, yeti-notify-tisf ]
Afterward, please send a mail to coordinators mailing list to notify that it is done.
Step 3: Monitoring system setup
For the purpose of experiment and measurement study,we require each root server operator to capture DNS packet on DNS servers and save as pcap file, then send to our storage server. Regarding the data sharing issue, please turn to the data sharing document of YETI Project.
Setup and join the YETI monitoring system . This script submits DNS packet via SSH. Note that it uses SSH public key authentication, so user should provide SSH public key via mail to the coordinators (note that currently support DSA and RSA and ECC).
2. Joining Yeti as a Resolver Operator
We encourage people running resolvers to join the project. These should be used for real-world queries, but for informed users in non-critical environments.
To join the Yeti project as a resolver operator, you need to have a working DNS resolver with IPv6 support.
You need to update your “hints” file to use the Yeti root servers instead of the IANA root servers.
The current “hints” file can be found here:
https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/named.cache
And the DNSSEC key is:
https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/KSK.pub
Warning: the DNSSEC key of the Yeti root (the KSK) changes often (typically every three months). You must therefore configure your resolver to use RFC 5011 automatic update or be ready to make many changes manually.
In the purpose of some experiment, we need information and feedback from client side, so we encourage resolver operator to register it mail address for technical assistance, Yeti testbed changes or experiments coordination. If you setup your recursive server linked with Yeti root server, please contact coordinators@lists.yeti-dns.org.
Configuration of the resolver:
Unbound:
server:
root-hints: "yeti-hints"
# Check the file is writable by Unbound
auto-trust-anchor-file: autokey/yeti-key.key
BIND:
zone "." {
type hint;
file "/etc/bind/yeti-hints";
};
managed-keys {
"." initial-key 257 3 8 "AwEAAdZZqL65TA/kHkLq1+ON5eQYm9PUBgV5UQbPcQtRAXbad1l6m6R0 iJIg46IiyFyUkEh+H7Z9/oPNnkM9zub2TjFiNVZUSnpyWtPqVD5nHrhU OdS3yW/AXpZuNJ3zX9XDXUpiEnfTPOMrUiZppP1fqx/jnAC9YDLs4K26 ocoDyQp+umu+eOrP/TOacRag+9r9NiQzsVuXHQnCwpPY4NwlA7QRaOOj BiI9tNEDD2khVE7Yy5c/sZYirlTOTEBbXkd9l9WVqRgEO+ikb8GMg7hg Oddvqj7ItBZvBUACQc3c0OqaLnEZx6CwIQpjxpPPYdyiEdKSwHGH3V3T fS+AEQlW8uk=";
};
In the BIND example, the text between quotes is the key, from https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/KSK.pub
Knot:
-- -*- mode: lua -*-
-- Knot uses a specific format for the hints so we cannot use the official hints file.
modules = {
'hints' -- Add other modules, if necessary
hints.root({
['bii.dns-lab.net.'] = '240c:f:1:22::6',
['yeti-ns.wide.ad.jp.'] = '2001:200:1d9::35',
['yeti-ns.as59715.net.'] = '2a02:cdc5:9715:0:185:5:203:53',
['yeti-ns.ix.ru.'] = '2001:6d0:6d06::53',
['yeti.bofh.priv.at.'] = '2a01:4f8:161:6106:1::10',
['yeti.ipv6.ernet.in.'] = '2001:e30:1c1e:1::333',
['yeti.aquaray.com.'] = '2a02:ec0:200::1',
['yeti-ns7.root-yeti.net.'] = '2a0d:5600:21::485e:8017',
['yeti-ns8.root-yeti.net.'] = '2a05:f480:1400:8b::6',
['yeti-ns9.root-yeti.net.'] = '2001:19f0:5:4054::6',
['yeti-ns.lab.nic.cl.'] = '2001:1398:1:21::8001',
['yeti-ns1.dns-lab.net.'] = '240e:eb:8001:e01::53',
['yeti-ns2.dns-lab.net.'] = '240e:d9:c200:14c:7472::19e0',
['yeti-ns3.dns-lab.net.'] = '240e:6b0:200::139',
['3f79bb7b435b05321651daefd374cd.yeti-dns.net.'] = '2401:c080:1800:4de9::6',
['ca978112ca1bbdcafac231b39a23dc.yeti-dns.net.'] = '2c0f:f530::6',
['xn--r2bi1c.xn--h2bv6c0a.xn--h2brj9c.'] = '2001:e30:1c1e:10::333',
['yeti-ns.datev.net.'] = '2a00:e50:f15c:1000::1:53',
['yeti1.ipv6.ernet.in.'] = '2001:e30:187d::333',
['yeti-ns.ipv6forummalaysia.com.'] = '2401:340:aaaa:100::8b31:256e',
['ns3.root-yeti.net.'] = '2400:6180:100:d0::8df:4001',
['ns4.root-yeti.net.'] = '2803:80:8001:228::6',
['ns5.root-yeti.net.'] = '2001:19f0:4400:7fff::6',
['ns6.root-yeti.net.'] = '2001:470:1:703::3',
['ns1.yeti.akira.org.'] = '2a01:4f8:252:2ade:2::2',
})
})
trust_anchors.config('yeti-root.key')
yeti-root.key is the official root key file, from https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/KSK.pub
TODO: The above should work with RFC 5011 but let’s test
3. Joining Yeti as a Researcher
Researchers are encouraged to join the Yeti discussion list:
http://lists.yeti-dns.org/mailman/listinfo/discuss
Potential experiments or analysis can be discussed there.
Confidential inquiries can be sent to coordinators@lists.yeti-dns.org.
@2019 Yeti project Powered by www.jekyllrb.com