DNS The peculiar case of NSEC processing using expanded wildcard records Unbound, Google public DNS, PowerDNS and Dnsmasq contained a flaw that made it possible to downgrade secure connections.
DNS Bringing DNS Security and Privacy to the End User How the getdns API project helps to achieve the goal of DNSSEC validation and DANE authentication at the end-points.
DNS Privacy: Using DNS-over-TLS with the new Quad9 DNS Service Install and configure Stubby to communicate securely with the Quad9 DNS service using DNS-over-TLS.
Dev Testdriving the CrypTech Alpha Board Experiences with the open source hardware cryptographic engine.
DNS Client based filtering in Unbound Using ‘tags’ introduced in Unbound 1.5.10 and ‘views’ in Unbound 1.6.0 to let DNS answers depend on the address of the client.
Dev I Can’t Believe It’s Not DNS! Experiences with “I Can’t Believe It’s Not DNS!”, an authoritative DNS server on the Espressif ESP8266, written in MicroPython.
DNS Algorithm Rollover in OpenDNSSEC 1.3 Roll to a new algorithm securely with OpenDNSSEC 1.3.x if you are clever about it and don’t mind some manual intervention.
DNS NSD 4.1: zonefile-mode and fork fix NSD 4.1 has a new feature where it does not use the nsd.db file, but uses the zonefiles directly.
OpenDNSSEC project transferred to NLnet Labs NLnet Labs announces that it will take full responsibility for continuing the activities of the OpenDNSSEC software project and support.
Dev Hackathon at TNW-2014 At NLnet Labs we believe that DNSSEC allows for security innovations that will change the global security and privacy landscape.
Research Does Open Data Reveal National Critical Infrastructures? This blog post is based on the report “Open Data Analysis to Retrieve Sensitive Information Regarding National-Centric Critical Infrastructures [http://www.nlnetlabs.nl/downloads/publications/RP45%20Open%20Data%20Analysis%20-%20Critical%20infrastructures.pdf] ” by Renato Fontana. Democratization of Public Data The ideas of Open Data [http://okfn.org] comes from
Research How “National” is the Dutch Critical IP Infrastructure? This blog post is based on the report “Discovery and Mapping of the Dutch National Critical IP Infrastructure [http://www.nlnetlabs.nl/downloads/publications/RP2_report_Mapping_the_Dutch_Critical_Infrastructure.pdf] ” by Fahimeh Alizadeh and Razvan Oprea. Problem After the publication of the Critical Infrastructure Protection report more than
DNS RRL SLIP and Response Spoofing By Wouter Wijngaards The recent disclosure by ANSSI (CVE-2013–5661) notes problems with RRL Slip and response spoofing. This document explains explains the tradeoffs. Other documents with advice: * French announcement from ANSSI: http://www.certa.ssi.gouv.fr/site/CERTA-2013-AVI-506/index.html * Dutch vuln announcement: https://www.ncsc.nl/.../NCSC-2013-0597.
DNS NSD4 TCP Performance By Wouter Wijngaards For NSD 4 the TCP performance was optimised, with different socket handling compared to NSD 3. This article discusses a TCP performance test for NSD 4. In previous blog contributions, general (UDP) performance [http://www.nlnetlabs.nl/blog/2013/07/05/nsd4-performance-measurements/] was measured and memory usage
DNS NSD4 High Memory Usage By Wouter Wijngaards NSD 4 is currently in beta and we are expecting a release candidate soon. This is the second of a series of blog-posts in which we describe some findings that may help you to optimize your NSD4 installation. In the first article [https://blog.nlnetlabs.nl/blog/
DNS NSD4 Performance Measurements By Wouter Wijngaards NSD 4 is currently in beta and we are expecting a release candidate soon. This is the first of a series of blog-posts in which we describe some findings that may help you to optimize your NSD4 installation. The article also serves as an explanation for differences
Research Using PMTUD for a higher DNS responsiveness By Willem Toorop Motiviation In May 2011 we were notified (from a Japan based enthusiast) that our site wasn’t reachable over IPv6 unless the user lowered the MTU on his machine. This triggered interest in the “Path MTU Discovery black holes” problem [6] [http://tools.ietf.org/html/rfc2923]
DNS Open Recursor Blocked By Wouter Wijngaards We have blocked an open recursive DNS nameserver running at NLnet Labs. This was due to abuse traffic, reflected traffic. Two different types of abuse traffic were pointed at this server: * Queries of type ANY for large DNSSEC data. Sporadic bursts of about 3–5 qps, to
DNS NSD 4 migration and features By Wouter Wijngaards This post describes migration to NSD4 and the new features of NSD4. An overview of the NSD 4 project is here [http://www.nlnetlabs.nl/blog/2012/12/18/nsd-4-0-beta-announcement/]. Migration The old NSD3 config file can be used without changes for NSD4. There are new config
DNS NSD 4.0 Beta: NSD4 sees the light.. By Wouter Wijngaards We are proud to announce a beta version of NSD4.0. With this beta release NSD4.0 is feature complete. Earlier [https://www.nlnetlabs.nl/blog/2012/09/14/nsd4-features/] we described our high-level plans with NSD4; below we describe the features that are available in NSD4.
DNS DNS Response Rate Limiting as implemented in NSD By Wouter Wijngaards (Note 10 Oct 2012: Rate limiting is worked on at this time, and is being tested, it is not available in NSD production code yet). (Update 10 Dec 2012 : changed title to indicate it is based on Vixie and Schryver’s work) Rate Limits Rate limiting is
DNS Howto: Add new RRtypes to NSD People like to put stuff in the DNS. While we could put everything in a TXT record, in general it is better to define a new record type (RRtype). The latest addition is the TLSA record, to support the DANE protocol. The RRtype was added to NSD just one day after the RFC was published.
DNS NSD4 Features By Wouter Wijngaards NSD 4 is under development. The plan is to improve NSD 3 with a number of new features. The main goals are: * More dynamic configuration support * High number of zones supported * It stays the lean and mean, typical secondary authoritative DNS server that you know it for.
