🛠 A confidence building toolbox
Nobody likes pushing the "Go" button to deploy and just hope things will be okay. 🤞 In this newsletter we'll cover some of the recent additions to our software aimed at giving you more operational confidence...
💬 In this issue:
- Zone Verification in NSD. Prevent zones with errors in the DNSSEC signed data from getting out into the wild.
- Extended DNS Errors in Unbound. Get additional information about the cause of DNS errors.
- Hybrid RPKI with Krill. Get all the benefits of running your own Certificate Authority, but leave ROA publication in the hands of your RIR.
☑️ Zone Verification in NSD
Zone verification prevents zones with errors in the DNSSEC signed data (i.e. bogus zones) from getting out into the wild. Previously we offered this as a separate solution called CreDNS. NSD 4.6.0 introduces zone verification natively, as a bump-in-the-wire solution.
With zone verification enabled, NSD acts as a zone transfer proxy that only propagates the update if the zone, with updates applied, passes all the checks. Benno and Jeroen wrote a blog post explaining the design of zone verification in NSD and how to configure it:
🔍 Extended DNS Errors in Unbound
Unbound 1.16.0 adds support for Extended DNS Errors (EDEs), which are EDNS options that enrich a DNS response with an error code. It can include human-readable text specifying what went wrong exactly.
Unbound currently supports EDE for all DNSSEC validation errors, because we felt this would have the greatest impact. It also supports some filtering and other informative errors, as well as an EDE for stale answers.
Tom wrote a blog post explaining how Extended DNS Errors work, and how to get the most from this functionality in Unbound:
🔋 Hybrid RPKI with Krill
There is a lot of buzz around Hybrid RPKI, the deployment model where organisations run their own delegated Certificate Authority (CA) software and publish their ROAs in a repository offered by their National or Regional Internet Registry (NIR or RIR). This setup relieves you of the responsibility to keep a highly available HTTPS and rsync server online.
APNIC has been offering an RPKI Publication Service for quite a while already, ARIN launched theirs in March 2022 and the RIPE NCC is currently running a trial for their members.
The Hybrid RPKI model has proven to be hugely successful in Brazil. Just 2,5 years after NIC.br launched their service, more than 1400 organisations now run a Delegated CA with Krill and publish almost 8000 ROAs in their parent’s publication point.
To help with Hybrid RPKI deployment under the services of APNIC and ARIN, Tim and Alex wrote two articles explaining the benefits and guide you through the setup process step-by-step:
As soon as the RIPE NCC offers their RPKI publication service, we’ll write a similar guide.
🗞 From the News Desk
- 🤝 We are extending our partnership with Dutch top-level domain registry SIDN for another five years.
- 🔬 Together with the University of Twente and the RIPE NCC we are conducting an experiment to understand the effectiveness of RPKI Route Origin Validation.
- 🍕 We've welcomed the 500th member to the RPKI Community Discord server. We hope they brought pizza.
That's all for now. Thanks for reading, until next time!
Love from the NLnet Labs crew