Introducing dnst — a DNS Toolbox for network operators

By Alex Band More than two decades ago, NLnet Labs started the ldns library, with the goal of letting developers easily create RFC compliant DNS software in the C programming language. The library included a number of example programs, many of which have found their way into operator workflows. With

NSD

Experimental support for AF_XDP sockets in NSD

By Jannik Peters We have been developing support for AF_XDP sockets in NSD. They allow handling a higher rate of network packets than through the Linux network stack on supported hardware[1]—For a list of supported drivers (and by extension hardware) and their minimum Linux kernel version please

Overhauling Domain

By Arya K. Previously, we discussed the massive development our domain library underwent over 2024. However, the project has been around much, much longer than that – the very first commit was made all the way back in 2015! It started out as Martin's side project and grew over

Routing

Introducing Roto: A Compiled Scripting Language for Rust

By Terts Diepraam We are working on an embedded scripting language for Rust. This language, called Roto, aims to be a simple yet fast and reliable scripting language for Rust applications. The need for Roto comes from Rotonda, our BGP engine written in Rust. Mature BGP applications usually feature some

DNS

Prometheus Metrics in NSD 4.12.0

By Jannik Peters We finally implemented a Prometheus metrics endpoint, providing the statistics you know from nsd-control stats/stats_noreset in Prometheus format via HTTP. To enable the Prometheus metrics endpoint, specify the option metrics-enable: yes in the config's server section. You can then point your Prometheus exporter

DNS

Domain Foundations – The first of our five year vision

By Arya K., Martin Hoffmann and Alex Band About a year ago, we unveiled our vision for the next five years of DNS at NLnet Labs. In this series of articles, we’d like to provide you with an update on our accomplishments last year and our plans for 2025

DNS

DNS-over-QUIC in Unbound

By Wouter Wijngaards, with contributions from Yorgos Thessalonikefs DNS-over-QUIC (DoQ) uses the QUIC transport mechanism to encrypt queries and responses. The DoQ transport for DNS is defined in RFC 9250. With the recent release, Unbound can be configured to support DoQ clients downstream. This feature is not a standard component

Policy

Supply chain security obligations for NIS2 regulated entities vs. developers of open source software

How do supply chain security obligations under the European NIS2 legislation affect those that develop the Free and Open Source Software used by "essential providers" of digital infrastructure? An overview of the response to the public comment period to the NIS2 draft implementing act.

Policy

Tracking CRA implementation for Free and Open Source Software and its Stewards

Active engagement on the Cyber Resilience Act helped to change the outcome of the negotiations for FOSS. With final text expected this fall, our focus is shifting towards CRA implementation. This includes collaborating on the "open-source software steward" role in a working group at Eclipse.

Newsletter

Introducing new DNS Diagnostics Tooling

In this DNS-centric edition of “Of Trees and Tries” we’re excited to share what we’ve been working on over the last few months. Before we get started, we have something special to share. Frances Brazier, legendary computer scientist and one of the founders of NLnet Labs, received a

Newsletter

The Spring 2024 Newsletter

Welcome back to our newsletter “Of Trees and Tries”. In this spring edition, we’re excited to share what we’ve been working on and what’s coming up in the world of open-source, open standards and tech policy. DNS Benno and Alex started the year by sharing our thoughts

Dev

NLnet Labs 💞 Packagers

We are at our best when we can focus on Internet protocols and building elegant implementations in software. That is why we love it when others help out with packaging and distributing our software. And, on February 14th, it feels appropriate to express some love and appreciation for the many

Policy

What I learned in Brussels: the Cyber Resilience Act

Last weekend I co-organised an EU policy devroom at FOSDEM, marking the end of a wild ride in EU policy land working on the Cyber Resilience Act. In this post I want to contribute to a shared understanding of how the CRA will most likely affect developers of open source

DNS

The Sovereign Tech Fund Bolsters Our Sustainable Open-Source Efforts

This year, NLnet Labs will celebrate its 25th anniversary. For two and a half decades, we have stayed true to our founding principle to offer free, open-source, liberally licensed software to support core Internet infrastructure.  Throughout 2024, the Sovereign Tech Fund will support the development of one of our projects,

DNS

Domain – DNS Building Blocks for Application Developers

In the previous article of this series, we presented our vision for DNS for the coming five years. In this post, we'll outline this year's milestones for expanding the domain crate, our Rust library serving as a collection of building blocks to include components of the

DNS

The Next Five Years of DNS at NLnet Labs

2024 marks 25 years of NLnet Labs. We have delivered on our mission to make the domain name system (DNS) more dependable and trustworthy, and we are full of ambitions for the future.  DNS standards and operations have evolved significantly in the last decades as technology advances and increasingly sophisticated

Newsletter

Destination: Brussels – Navigating the Open-Source Waters

In this newsletter all of our open-source efforts are headed for Brussels. The European Commission received our feedback on the proposed Cyber Resilience Act and we'll be presenting on these efforts at FOSDEM, the Brussels-based event centered on free and open-source software development. While we're there,

RPKI

Running Krill Under RIPE NCC

When using RPKI in the RIPE NCC service region you have the choice between using the Hosted RPKI service in the LIR Portal, or running Delegated RPKI. While using the RIPE NCC's web interface to manage Route Origin Authorisations (ROAs) works great, running Delegated RPKI with free, open-source

Newsletter

DNS and Rust in Critical Infrastructure

Last month we skipped our regularly scheduled newsletter to give centre stage to Maarten's article on open-source software vs. the proposed Cyber Resilience Act. In the new year we'll give you an update on what has happened since, but now we'd like to tell

Policy

Open-source software vs. the proposed Cyber Resilience Act

By Maarten Aertsen NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act (CRA) intends to ensure cybersecurity of products with digital elements by laying down requirements and obligations for manufacturers. 🥳update, december 2023:

DNS

Somebody Told Me

Proxying client information to your favorite resolver and more.

Newsletter

Cooking with SIMD

When developers gather around a screen like in this picture, you know something special is cooking. We're very excited about our prototyping with single instruction, multiple data (SIMD) processing, but this newsletter is not about that yet (nor about better kerning). More on that soon! Now, with the

Newsletter

⛱ The Things We Did Last Summer

We hope you enjoyed your summer! Our caipirinha-infused break was sprinkled with train trips and community gardening. 🍸🚂👩🏼‍🌾 Now that we're all back, it's time for a new edition of our newsletter "Of Trees and Tries", covering exciting new projects, releases and standards work we&

Research

Where Did My Packet Go? Measuring the Impact of RPKI ROV

Merely doing RPKI ROV does not provide any guarantees where your packet ends up. We conducted an experiment where we look into the impact of RPKI ROV on whether the packet ends up in the intended location based on active beaconing with two servers.

Research

Journeying into XDP: XDPerimenting with DNS telemetry

By Luuk Hendriks The XDP programs we’ve so far described in this series have been actively modifying DNS packets to perform functions such as response rate limiting (RRL), cookies and padding. This time, we’ll look into a passive BPF-program which enables us to plot graphs of DNS metrics