The NLnet Labs Blog

Sign in Subscribe

Running Krill Under RIPE NCC

Running Krill Under RIPE NCC

When using RPKI in the RIPE NCC service region you have the choice between using the Hosted RPKI service in the LIR Portal, or running Delegated RPKI. While using the RIPE NCC's web interface to manage Route Origin Authorisations (ROAs) works great, running Delegated RPKI with free, open-source Krill Certificate

Open-source software vs. the proposed Cyber Resilience Act

Policy Featured

Open-source software vs. the proposed Cyber Resilience Act

By Maarten Aertsen NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act (CRA) intends to ensure cybersecurity of products with digital elements by laying down requirements and obligations for manufacturers. 'Commercial' + Critical = Compliance

Who? He's from the village, you don't know him

Somebody Told Me

Proxying client information to your favorite resolver and more.

Where Did My Packet Go? Measuring the Impact of RPKI ROV

Where Did My Packet Go? Measuring the Impact of RPKI ROV

Merely doing RPKI ROV does not provide any guarantees where your packet ends up. We conducted an experiment where we look into the impact of RPKI ROV on whether the packet ends up in the intended location based on active beaconing with two servers.

Journeying into XDP: XDPerimenting with DNS telemetry

Journeying into XDP: XDPerimenting with DNS telemetry

By Luuk Hendriks The XDP programs we’ve so far described in this series have been actively modifying DNS packets to perform functions such as response rate limiting (RRL), cookies and padding. This time, we’ll look into a passive BPF-program which enables us to plot graphs of DNS metrics

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy

NLnet Labs is pleased to announce version 4.6.0 of NSD. This release integrates and revives zone verification, a feature previously shipped in a separate product called CreDNS, which had its last release (0.2.10) in June 2012.

Running Krill under APNIC

Running Krill under APNIC

As you may know APNIC offers their members the option of running their own delegated RPKI CA instead of using the APNIC portal RPKI service. Moreover, APNIC also allows their members to make use of the APNIC managed RPKI repository infrastructure for publication of their RPKI objects. The latter is

Running Krill under ARIN

Running Krill under ARIN

When using RPKI in the ARIN region you have the choice between using the Hosted RPKI service in ARIN Online, or running Delegated RPKI. While using ARIN's web interface to manage Route Origin Authorizations (ROAs) works okay, running Delegated RPKI with free, open-source Krill has several advantages: * Krill will show

A little extra explanation is always helpf

Extended DNS Error support for Unbound

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914. While EDE was already supported in NSD since version 4.3.6 released in April of 2021, as with most things in a resolver, EDE support took more time to implement. As a short

Journeying into XDP: Fully-fledged DNS service augmentation

Journeying into XDP: Fully-fledged DNS service augmentation

By Willem Toorop In our previous post on using eXpress Data Path (XDP) for DNS, we discussed how a new XDP rate-limiting queries feature can augment a DNS service running in user space (with common DNS software) to deal with denial of service (DoS) attacks. Journeying into XDP: Part 0Network

Braving the Waves with Krill

Braving the Waves with Krill

If you have the luxury that your RIR, NIR or some other organisation offers an RPKI Publication Server that you can use, well then you're in luck. You would only need to set up a Krill CA instance – you can pretty much follow the guide we wrote for "Testing the

Testing the Waters with Krill

Testing the Waters with Krill

We sometimes hear that people have cold feet when it comes to trying out Krill. But, did you know that Krill is at its most prolific in arctic oceans? So, come join us as we guide you through getting started with a Krill instance in a safe and secluded testbed

Making a Krill Sanctuary

Making a Krill Sanctuary

We sometimes hear that people have cold feet when it comes to trying out Krill on the open ocean, so we decided to create a safe and secluded sanctuary. If you just want to run a Krill instance under this environment, then please read " Testing the Waters with Krill [https:

Dishing up Krill

Dishing up Krill

RPKI Certification Authorities (CAs) publish their RPKI related content using a so-called Publication Server, which in turn makes the 'publication point' for this and all other CAs it serves available in an RPKI Repository. These repositories are served to Relying Party (RP) software for RPKI validation using rsync and the

Routing Featured

Of Donkeys, Mules & Horses

A quest for the perfect data-structure to store and retrieve a full table of IP Prefixes, while maintaining the hierarchical relations.

How To Run Krill Behind an NGINX Reverse Proxy

How To Run Krill Behind an NGINX Reverse Proxy

Although Krill has a built-in HTTPS server, it may be desirable to run a production grade webserver as a reverse proxy in front of Krill. This allows easy TLS configuration and additional restrictions, if desired.

Supporting DNSSEC Key Signing Ceremonies

Supporting DNSSEC Key Signing Ceremonies

Over the past decade, uptake of DNSSEC has grown significantly. The vast majority of top-level domains (TLDs) is now DNSSEC-signed. While key signing ceremonies are now deployed in many places in the DNSSEC community, what is lacking is a common approach, especially related to tooling.

Moving RPKI Beyond Routing Security

Moving RPKI Beyond Routing Security

Resource Tagged Attestations, or RTAs, are a new type of RPKI object that is being proposed by authors from APNIC and NLnet Labs in the IETF. They allow any arbitrary file to be signed ‘with resources’ by one or more parties.

Introducing JDR: explore, inspect and troubleshoot the RPKI

Introducing JDR: explore, inspect and troubleshoot the RPKI

Today we launch the first version of JDR, our hosted tool to check anything in the RPKI. While not yet 100% feature complete, we think it already offers useful insights to operators and implementors, and moreover, we would like their input and ideas for further developments of JDR. In this