Research

Where Did My Packet Go? Measuring the Impact of RPKI ROV

Merely doing RPKI ROV does not provide any guarantees where your packet ends up. We conducted an experiment where we look into the impact of RPKI ROV on whether the packet ends up in the intended location based on active beaconing with two servers.

Research

Journeying into XDP: XDPerimenting with DNS telemetry

By Luuk Hendriks The XDP programs we’ve so far described in this series have been actively modifying DNS packets to perform functions such as response rate limiting (RRL), cookies and padding. This time, we’ll look into a passive BPF-program which enables us to plot graphs of DNS metrics

Newsletter

🛠 A confidence building toolbox

Nobody likes pushing the "Go" button to deploy and just hope things will be okay. 🤞 In this newsletter we'll cover some of the recent additions to our software aimed at giving you more operational confidence... 💬 In this issue: * Zone Verification in NSD. Prevent zones with errors in the DNSSEC signed

DNS

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy

NLnet Labs is pleased to announce version 4.6.0 of NSD. This release integrates and revives zone verification, a feature previously shipped in a separate product called CreDNS, which had its last release (0.2.10) in June 2012.

RPKI

Running Krill under APNIC

As you may know APNIC offers their members the option of running their own delegated RPKI CA instead of using the APNIC portal RPKI service. Moreover, APNIC also allows their members to make use of the APNIC managed RPKI repository infrastructure for publication of their RPKI objects. The latter is

RPKI

Running Krill under ARIN

When using RPKI in the ARIN region you have the choice between using the Hosted RPKI service in ARIN Online, or running Delegated RPKI. While using ARIN's web interface to manage Route Origin Authorizations (ROAs) works okay, running Delegated RPKI with free, open-source Krill has several advantages: * Krill will show

DNS

Extended DNS Error support for Unbound

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914. While EDE was already supported in NSD since version 4.3.6 released in April of 2021, as with most things in a resolver, EDE support took more time to implement. As a short

Newsletter

DNS-over-QUIC coming to Unbound

Welcome to this new edition of the NLnet Labs newsletter, bringing you the latest on our adventures from the shores of DNS and BGP land. 🏖 In this issue we continue work on our all-singing, all-dancing RPKI library 🕺, uncover the difference between the two NLnets, prove that time spent with catz

Newsletter Featured

The NLnet Labs Newsletter – Spring 2022

Welcome to our first newsletter, providing you with an update on what we've been doing over the last few months and what's coming up from your favourite open-source development crew below sea level. 👷‍♀️ In this edition: both our software development and Internet Governance activities get reinforced with new staff, the

Research

Journeying into XDP: Fully-fledged DNS service augmentation

By Willem Toorop In our previous post on using eXpress Data Path (XDP) for DNS, we discussed how a new XDP rate-limiting queries feature can augment a DNS service running in user space (with common DNS software) to deal with denial of service (DoS) attacks. Journeying into XDP: Part 0Network

Krill

Braving the Waves with Krill

If you have the luxury that your RIR, NIR or some other organisation offers an RPKI Publication Server that you can use, well then you're in luck. You would only need to set up a Krill CA instance – you can pretty much follow the guide we wrote for "Testing the

Krill

Testing the Waters with Krill

We sometimes hear that people have cold feet when it comes to trying out Krill. But, did you know that Krill is at its most prolific in arctic oceans? So, come join us as we guide you through getting started with a Krill instance in a safe and secluded testbed

Krill

Making a Krill Sanctuary

We sometimes hear that people have cold feet when it comes to trying out Krill on the open ocean, so we decided to create a safe and secluded sanctuary. If you just want to run a Krill instance under this environment, then please read " Testing the Waters with Krill [https:

Krill

Dishing up Krill

RPKI Certification Authorities (CAs) publish their RPKI related content using a so-called Publication Server, which in turn makes the 'publication point' for this and all other CAs it serves available in an RPKI Repository. These repositories are served to Relying Party (RP) software for RPKI validation using rsync and the

Routing Featured

Of Donkeys, Mules & Horses

A quest for the perfect data-structure to store and retrieve a full table of IP Prefixes, while maintaining the hierarchical relations.

RPKI

How To Run Krill Behind an NGINX Reverse Proxy

Although Krill has a built-in HTTPS server, it may be desirable to run a production grade webserver as a reverse proxy in front of Krill. This allows easy TLS configuration and additional restrictions, if desired.

DNS

Supporting DNSSEC Key Signing Ceremonies

Over the past decade, uptake of DNSSEC has grown significantly. The vast majority of top-level domains (TLDs) is now DNSSEC-signed. While key signing ceremonies are now deployed in many places in the DNSSEC community, what is lacking is a common approach, especially related to tooling.

RPKI

Moving RPKI Beyond Routing Security

Resource Tagged Attestations, or RTAs, are a new type of RPKI object that is being proposed by authors from APNIC and NLnet Labs in the IETF. They allow any arbitrary file to be signed ‘with resources’ by one or more parties.

RPKI

Introducing JDR: explore, inspect and troubleshoot the RPKI

Today we launch the first version of JDR, our hosted tool to check anything in the RPKI. While not yet 100% feature complete, we think it already offers useful insights to operators and implementors, and moreover, we would like their input and ideas for further developments of JDR. In this

DNS

SAD DNS and NLnet Labs DNS software

Update 18 November 2021: we are aware of the follow-up paper published by the researchers. The text below remains accurate for Unbound users. Please note that Unbound 1.13.2 and newer has IPv6 PMTU disabled  for UDP. During the ACM CCS conference 2020, held November 9-13, researchers from UC

RPKI

Why Routinator Doesn’t Fall Back to Rsync

When creating software, we carefully weigh each design decision: security, resiliency, usability and many more factors play a role in the end result. This article explores the reasoning behind a behaviour that isn't specified in an RFC but which has significant impact on operators deploying RPKI.

Research

Journeying into XDP Part 1: Augmenting DNS

How can eXpress Data Path (XDP) augment existing DNS software? We share our experiences of implementing Response Rate Limiting in XDP.

RPKI

Testing .. 123 Delegated RPKI

Validate your delegated RPKI deployment with the new NLnet Labs RPKI test root.

DNS

DNS-over-HTTPS in Unbound

A major step forward in end user privacy.

DNS

Some Country for Old Men

An Unbound Story of Serving Expired Records.