πŸ›  A confidence building toolbox

Nobody likes pushing the "Go" button to deploy and just hope things will be okay. 🀞 In this newsletter we'll cover some of the recent additions to our software aimed at giving you more operational confidence...

πŸ’¬ In this issue:

  • Zone Verification in NSD. Prevent zones with errors in the DNSSEC signed data from getting out into the wild.
  • Extended DNS Errors in Unbound. Get additional information about the cause of DNS errors.
  • Hybrid RPKI with Krill. Get all the benefits of running your own Certificate Authority, but leave ROA publication in the hands of your RIR.

β˜‘οΈ Zone Verification in NSD

Zone verification prevents zones with errors in the DNSSEC signed data (i.e. bogus zones) from getting out into the wild. Previously we offered this as a separate solution called CreDNS. NSD 4.6.0 introduces zone verification natively, as a bump-in-the-wire solution.

With zone verification enabled, NSD acts as a zone transfer proxy that only propagates the update if the zone, with updates applied, passes all the checks. Benno and Jeroen wrote a blog post explaining the design of zone verification in NSD and how to configure it:

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy
NLnet Labs is pleased to announce version 4.6.0 of NSD. This release integrates and revives zone verification, a feature previously shipped in a separate product called CreDNS, which had its last release (0.2.10) in June 2012.

πŸ” Extended DNS Errors in Unbound

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs), which are EDNS options that enrich a DNS response with an error code. It can include human-readable text specifying what went wrong exactly.

Unbound currently supports EDE for all DNSSEC validation errors, because we felt this would have the greatest impact. It also supports some filtering and other informative errors, as well as an EDE for stale answers.

Tom wrote a blog post explaining how Extended DNS Errors work, and how to get the most from this functionality in Unbound:

Extended DNS Error support for Unbound
Unbound 1.6.0 adds support for Extended DNS Errors (RFC 8914).

πŸ”‹ Hybrid RPKI with Krill

There is a lot of buzz around Hybrid RPKI, the deployment model where organisations run their own delegated Certificate Authority (CA) software and publish their ROAs in a repository offered by their National or Regional Internet Registry (NIR or RIR). This setup relieves you of the responsibility to keep a highly available HTTPS and rsync server online.

APNIC has been offering an RPKI Publication Service for quite a while already, ARIN launched theirs in March 2022 and the RIPE NCC is currently running a trial for their members.

The Hybrid RPKI model has proven to be hugely successful in Brazil. Just 2,5 years after NIC.br launched their service, more than 1400 organisations now run a Delegated CA with Krill and publish almost 8000 ROAs in their parent’s publication point.

To help with Hybrid RPKI deployment under the services of APNIC and ARIN, Tim and Alex wrote two articles explaining the benefits and guide you through the setup process step-by-step:

Running Krill under APNIC
A step-by-step guide to running Delegated RPKI with Krill and publish ROAs with APNIC.
Running Krill under ARIN
A step-by-step guide to running Delegated RPKI and publish ROAs with ARIN.

As soon as the RIPE NCC offers their RPKI publication service, we’ll write a similar guide.


πŸ—ž From the News Desk


That's all for now. Thanks for reading, until next time!

Love from the NLnet Labs crew