Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
101 lines (79 sloc) 3.02 KB


This document describes the process used to generate and distribute the Yeti root.

The Yeti DNS Project takes the IANA root zone, and performs minimal changes needed to serve the zone from the Yeti root servers instead of the IANA root servers.

In Yeti, this modified root zone is generated by the Yeti Distribution Masters (DM), which provide it to the Yeti root servers.

While in principle this could be done by a single DM, Yeti uses a set of three DM. These DM coordinate their work so that the resulting Yeti root zone is always consistent. (We need to avoid the case where not all DM share the same set of Yeti root servers, and so they produce different versions of the Yeti root zone with the same serial.)


The generation process is:

  1. Download the latest IANA root zone
  2. Make modifications to change from the IANA to Yeti root servers
  3. Sign the new Yeti root zone
  4. Publish the new Yeti root zone

IANA Root Zone

The root zone is currently downloaded using AXFR from F.ROOT-SERVERS.NET:

   $ dig -t axfr .

This appears to be the best way to get the updated version of the root zone as soon as possible.

TODO: The DM should check that the zone they are retrieving from IANA is properly signed, with something like ldns-verify-zone.

A new version of the Yeti zone is only generated when the IANA zone changes, which is detected by the change in the serial number value in the SOA record.

KSK secret

All DM share the same KSK secret material. This generated using the BIND 9 dnssec-keygen tool, and then sent via encrypted PGP to the other DM operators.


The root zone is modified as follows:

  • The SOA is updated:
    • The MNAME and RNAME are set to Yeti values
  • The IANA DNSSEC information is removed:
    • The DNSKEY records
    • The RRSIG and NSEC records
  • The IANA root server records are removed:
    • The NS records for [A-M].ROOT-SERVERS.NET
  • The Yeti DNSSEC information is added:
    • The DNSKEY records
  • The Yeti root server records are added:
    • The NS records
    • The AAAA glue records
  • The Yeti root zone is signed

It might be worthwhile to use the serial value in the SOA field, however for now we duplicate the IANA serial value.

The list of Yeti name Servers is synchronized between the DM as described below.


Each Yeti DM checks to see if the IANA root zone has changed hourly, on the following schedule:

DM Time
BII hour + 00
WIDE hour + 20
TISF hour + 40

A new version of the Yeti root zone is generated if the IANA root zone has changed.

Synchronizing Yeti DM Configuration

Synchronization between the Yeti DM is described in the Yeti DM Synchronization document.