Team NLnet Labs - The NLnet Labs Blog

Team NLnet Labs

Proudly serving the Internet community for over 20 years with open source core infrastructure tools for DNS and BGP

Where Did My Packet Go? Measuring the Impact of RPKI ROV

Where Did My Packet Go? Measuring the Impact of RPKI ROV

Merely doing RPKI ROV does not provide any guarantees where your packet ends up. We conducted an experiment where we look into the impact of RPKI ROV on whether the packet ends up in the intended location based on active beaconing with two servers.

Journeying into XDP: XDPerimenting with DNS telemetry

Journeying into XDP: XDPerimenting with DNS telemetry

By Luuk Hendriks The XDP programs we’ve so far described in this series have been actively modifying DNS packets to perform functions such as response rate limiting (RRL), cookies and padding. This time, we’ll look into a passive BPF-program which enables us to plot graphs of DNS metrics

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy

NLnet Labs is pleased to announce version 4.6.0 of NSD. This release integrates and revives zone verification, a feature previously shipped in a separate product called CreDNS, which had its last release (0.2.10) in June 2012.

Running Krill under APNIC

Running Krill under APNIC

As you may know APNIC offers their members the option of running their own delegated RPKI CA instead of using the APNIC portal RPKI service. Moreover, APNIC also allows their members to make use of the APNIC managed RPKI repository infrastructure for publication of their RPKI objects. The latter is

Running Krill under ARIN

Running Krill under ARIN

When using RPKI in the ARIN region you have the choice between using the Hosted RPKI service in ARIN Online, or running Delegated RPKI. While using ARIN's web interface to manage Route Origin Authorizations (ROAs) works okay, running Delegated RPKI with free, open-source Krill has several advantages: * Krill will show

A little extra explanation is always helpf

Extended DNS Error support for Unbound

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914. While EDE was already supported in NSD since version 4.3.6 released in April of 2021, as with most things in a resolver, EDE support took more time to implement. As a short

Journeying into XDP: Fully-fledged DNS service augmentation

Journeying into XDP: Fully-fledged DNS service augmentation

By Willem Toorop In our previous post on using eXpress Data Path (XDP) for DNS, we discussed how a new XDP rate-limiting queries feature can augment a DNS service running in user space (with common DNS software) to deal with denial of service (DoS) attacks. Journeying into XDP: Part 0Network

Braving the Waves with Krill

Braving the Waves with Krill

If you have the luxury that your RIR, NIR or some other organisation offers an RPKI Publication Server that you can use, well then you're in luck. You would only need to set up a Krill CA instance – you can pretty much follow the guide we wrote for "Testing the

Testing the Waters with Krill

Testing the Waters with Krill

We sometimes hear that people have cold feet when it comes to trying out Krill. But, did you know that Krill is at its most prolific in arctic oceans? So, come join us as we guide you through getting started with a Krill instance in a safe and secluded testbed

Making a Krill Sanctuary

Making a Krill Sanctuary

We sometimes hear that people have cold feet when it comes to trying out Krill on the open ocean, so we decided to create a safe and secluded sanctuary. If you just want to run a Krill instance under this environment, then please read " Testing the Waters with Krill [https:

Dishing up Krill

Dishing up Krill

RPKI Certification Authorities (CAs) publish their RPKI related content using a so-called Publication Server, which in turn makes the 'publication point' for this and all other CAs it serves available in an RPKI Repository. These repositories are served to Relying Party (RP) software for RPKI validation using rsync and the

Routing Featured

Of Donkeys, Mules & Horses

A quest for the perfect data-structure to store and retrieve a full table of IP Prefixes, while maintaining the hierarchical relations.

How To Run Krill Behind an NGINX Reverse Proxy

How To Run Krill Behind an NGINX Reverse Proxy

Although Krill has a built-in HTTPS server, it may be desirable to run a production grade webserver as a reverse proxy in front of Krill. This allows easy TLS configuration and additional restrictions, if desired.

Supporting DNSSEC Key Signing Ceremonies

Supporting DNSSEC Key Signing Ceremonies

Over the past decade, uptake of DNSSEC has grown significantly. The vast majority of top-level domains (TLDs) is now DNSSEC-signed. While key signing ceremonies are now deployed in many places in the DNSSEC community, what is lacking is a common approach, especially related to tooling.

Moving RPKI Beyond Routing Security

Moving RPKI Beyond Routing Security

Resource Tagged Attestations, or RTAs, are a new type of RPKI object that is being proposed by authors from APNIC and NLnet Labs in the IETF. They allow any arbitrary file to be signed ‘with resources’ by one or more parties.

Introducing JDR: explore, inspect and troubleshoot the RPKI

Introducing JDR: explore, inspect and troubleshoot the RPKI

Today we launch the first version of JDR, our hosted tool to check anything in the RPKI. While not yet 100% feature complete, we think it already offers useful insights to operators and implementors, and moreover, we would like their input and ideas for further developments of JDR. In this

SAD DNS and NLnet Labs DNS software

SAD DNS and NLnet Labs DNS software

Update 18 November 2021: we are aware of the follow-up paper published by the researchers. The text below remains accurate for Unbound users. Please note that Unbound 1.13.2 and newer has IPv6 PMTU disabled for UDP. During the ACM CCS conference 2020, held November 9-13, researchers from UC

Why Routinator Doesn’t Fall Back to Rsync

Why Routinator Doesn’t Fall Back to Rsync

When creating software, we carefully weigh each design decision: security, resiliency, usability and many more factors play a role in the end result. This article explores the reasoning behind a behaviour that isn't specified in an RFC but which has significant impact on operators deploying RPKI.

Journeying into XDP Part 1: Augmenting DNS

Journeying into XDP Part 1: Augmenting DNS

How can eXpress Data Path (XDP) augment existing DNS software? We share our experiences of implementing Response Rate Limiting in XDP.

Testing .. 123 Delegated RPKI

Testing .. 123 Delegated RPKI

Validate your delegated RPKI deployment with the new NLnet Labs RPKI test root.

DNS-over-HTTPS in Unbound

DNS-over-HTTPS in Unbound

A major step forward in end user privacy.

Some Country for Old Men

Some Country for Old Men

An Unbound Story of Serving Expired Records.