Team NLnet Labs

Proudly serving the Internet community for over 20 years with open source core infrastructure tools for DNS and BGP

Newsletter

Destination: Brussels – Navigating the Open-Source Waters

In this newsletter all of our open-source efforts are headed for Brussels. The European Commission received our feedback on the proposed Cyber Resilience Act and we'll be presenting on these efforts at FOSDEM, the Brussels-based event centered on free and open-source software development. While we're there, we'll also head for

RPKI

Running Krill Under RIPE NCC

When using RPKI in the RIPE NCC service region you have the choice between using the Hosted RPKI service in the LIR Portal, or running Delegated RPKI. While using the RIPE NCC's web interface to manage Route Origin Authorisations (ROAs) works great, running Delegated RPKI with free, open-source Krill Certificate

Newsletter

DNS and Rust in Critical Infrastructure

Last month we skipped our regularly scheduled newsletter to give centre stage to Maarten's article on open-source software vs. the proposed Cyber Resilience Act. In the new year we'll give you an update on what has happened since, but now we'd like to tell you about our adventures at the

Policy Featured

Open-source software vs. the proposed Cyber Resilience Act

By Maarten Aertsen NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act (CRA) intends to ensure cybersecurity of products with digital elements by laying down requirements and obligations for manufacturers. 'Commercial' + Critical = Compliance

DNS

Somebody Told Me

Proxying client information to your favorite resolver and more.

Newsletter

Cooking with SIMD

When developers gather around a screen like in this picture, you know something special is cooking. We're very excited about our prototyping with single instruction, multiple data (SIMD) processing, but this newsletter is not about that yet (nor about better kerning). More on that soon! Now, with the summer break

Newsletter

⛱ The Things We Did Last Summer

We hope you enjoyed your summer! Our caipirinha-infused break was sprinkled with train trips and community gardening. 🍸🚂👩🏼‍🌾 Now that we're all back, it's time for a new edition of our newsletter "Of Trees and Tries", covering exciting new projects, releases and standards work we've been cooking up in the sunshine.

Research

Where Did My Packet Go? Measuring the Impact of RPKI ROV

Merely doing RPKI ROV does not provide any guarantees where your packet ends up. We conducted an experiment where we look into the impact of RPKI ROV on whether the packet ends up in the intended location based on active beaconing with two servers.

Research

Journeying into XDP: XDPerimenting with DNS telemetry

By Luuk Hendriks The XDP programs we’ve so far described in this series have been actively modifying DNS packets to perform functions such as response rate limiting (RRL), cookies and padding. This time, we’ll look into a passive BPF-program which enables us to plot graphs of DNS metrics

Newsletter

🛠 A confidence building toolbox

Nobody likes pushing the "Go" button to deploy and just hope things will be okay. 🤞 In this newsletter we'll cover some of the recent additions to our software aimed at giving you more operational confidence... 💬 In this issue: * Zone Verification in NSD. Prevent zones with errors in the DNSSEC signed

DNS

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy

NLnet Labs is pleased to announce version 4.6.0 of NSD. This release integrates and revives zone verification, a feature previously shipped in a separate product called CreDNS, which had its last release (0.2.10) in June 2012.

RPKI

Running Krill under APNIC

As you may know APNIC offers their members the option of running their own delegated RPKI CA instead of using the APNIC portal RPKI service. Moreover, APNIC also allows their members to make use of the APNIC managed RPKI repository infrastructure for publication of their RPKI objects. The latter is

RPKI

Running Krill under ARIN

When using RPKI in the ARIN region you have the choice between using the Hosted RPKI service in ARIN Online, or running Delegated RPKI. While using ARIN's web interface to manage Route Origin Authorizations (ROAs) works okay, running Delegated RPKI with free, open-source Krill has several advantages: * Krill will show

DNS

Extended DNS Error support for Unbound

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914. While EDE was already supported in NSD since version 4.3.6 released in April of 2021, as with most things in a resolver, EDE support took more time to implement. As a short

Newsletter

DNS-over-QUIC coming to Unbound

Welcome to this new edition of the NLnet Labs newsletter, bringing you the latest on our adventures from the shores of DNS and BGP land. 🏖 In this issue we continue work on our all-singing, all-dancing RPKI library 🕺, uncover the difference between the two NLnets, prove that time spent with catz

Newsletter Featured

The NLnet Labs Newsletter – Spring 2022

Welcome to our first newsletter, providing you with an update on what we've been doing over the last few months and what's coming up from your favourite open-source development crew below sea level. 👷‍♀️ In this edition: both our software development and Internet Governance activities get reinforced with new staff, the

Research

Journeying into XDP: Fully-fledged DNS service augmentation

By Willem Toorop In our previous post on using eXpress Data Path (XDP) for DNS, we discussed how a new XDP rate-limiting queries feature can augment a DNS service running in user space (with common DNS software) to deal with denial of service (DoS) attacks. Journeying into XDP: Part 0Network

Krill

Braving the Waves with Krill

If you have the luxury that your RIR, NIR or some other organisation offers an RPKI Publication Server that you can use, well then you're in luck. You would only need to set up a Krill CA instance – you can pretty much follow the guide we wrote for "Testing the

Krill

Testing the Waters with Krill

We sometimes hear that people have cold feet when it comes to trying out Krill. But, did you know that Krill is at its most prolific in arctic oceans? So, come join us as we guide you through getting started with a Krill instance in a safe and secluded testbed

Krill

Making a Krill Sanctuary

We sometimes hear that people have cold feet when it comes to trying out Krill on the open ocean, so we decided to create a safe and secluded sanctuary. If you just want to run a Krill instance under this environment, then please read " Testing the Waters with Krill [https:

Krill

Dishing up Krill

RPKI Certification Authorities (CAs) publish their RPKI related content using a so-called Publication Server, which in turn makes the 'publication point' for this and all other CAs it serves available in an RPKI Repository. These repositories are served to Relying Party (RP) software for RPKI validation using rsync and the

Routing Featured

Of Donkeys, Mules & Horses

A quest for the perfect data-structure to store and retrieve a full table of IP Prefixes, while maintaining the hierarchical relations.

RPKI

How To Run Krill Behind an NGINX Reverse Proxy

Although Krill has a built-in HTTPS server, it may be desirable to run a production grade webserver as a reverse proxy in front of Krill. This allows easy TLS configuration and additional restrictions, if desired.

DNS

Supporting DNSSEC Key Signing Ceremonies

Over the past decade, uptake of DNSSEC has grown significantly. The vast majority of top-level domains (TLDs) is now DNSSEC-signed. While key signing ceremonies are now deployed in many places in the DNSSEC community, what is lacking is a common approach, especially related to tooling.

RPKI

Moving RPKI Beyond Routing Security

Resource Tagged Attestations, or RTAs, are a new type of RPKI object that is being proposed by authors from APNIC and NLnet Labs in the IETF. They allow any arbitrary file to be signed ‘with resources’ by one or more parties.