⛱ The Things We Did Last Summer

Jasper's allotment
Spot the software developer... 

We hope you enjoyed your summer! Our caipirinha-infused break was sprinkled with train trips and community gardening. 🍸🚂👩🏼‍🌾 Now that we're all back, it's time for a new edition of our newsletter "Of Trees and Tries", covering exciting new projects, releases and standards work we've been cooking up in the sunshine. ☀️

💬 In this issue:

  • BGPsec and HSM support in Krill. Taking security a big step up.
  • The EDNS(0) Proxy Control Option. Let applications communicate using Do53 while still getting the privacy benefit from using more secure protocols.
  • DNS Zone File Parsers. New implementations in C and Rust.
  • The octseq Rust crate. Generics for variable-length octet sequences.

🔐 BGPSec and HSM Support in Krill

We have released Krill 0.10, which includes BGPSec Router Certificate Signing. These certificates are used in BGPSec to authorise a router key for an ASN in the RPKI. This functionality is provided in the hope that it will help the community gain operational experience with BGPSec deployment.

💡
BGPsec complements the experimental support Krill offers for ASPA, a new standard for customer to provider authorisations which is currently being discussed in the IETF.

This release also supports the use of Hardware Security Modules (HSMs) for key operations. By default, Krill uses OpenSSL for key generation and stores private keys on disk. For many organisations this will be good enough, but you can now take take security a big step up by using an HSM instead. HSMs are devices that can be used to safeguard and manage digital keys. They are designed to allow applications to use private keys, whilst ensuring that the actual private keys are never leaked outside of the device — not even to the application that is using the key.

Krill supports any HSM that is compatible with the PKCS#11 2.20 and/or the KMIP 1.2 standards. Our documentation offers an overview of how to configure an HSM, a number of implementations we have tested, as well as several scenarios you may encounter when deploying.

🕹 The EDNS(0) Proxy Control Option

Part of the connectbyname prototype is a configuration mechanism that allows the application to specify how DNS resolution should happen. For example, if an authenticated and encrypted connection to the recursive resolver is required, or that best effort, opportunistic encryption is good enough.

To this end we have a draft in the IETF to define a new EDNS option, called the Proxy Control Option. This allows a stub resolver to pass requirements to a local DNS proxy. We are working on adding support to the getdns library to send this option, and implement the server side in stub resolver Stubby.

📜 DNS Zone File Parsers in C and Rust

Because that’s how these things go, both Jeroen and Martin independently started working on improved DNS zone file parsers.

Jeroen’s parser is written in C and intended to replace the current parser in our authoritative nameserver NSD, primarily to speed up loading times, but may be made available separately for other projects to use. Martin’s parser is in Rust and part of the domain crate of DNS building blocks. It will replace the current parser in that crate, which turned out to be rather slow and much too convoluted.

Of course this results in fun little shootouts that we'll tell you about in an upcoming article.

🎱 Octseq: Generics for Variable-Length Octet Sequences

As part of the domain Rust crate, we developed a mechanism to write code that can deal with different representations of variable-length byte sequences. For instance, the same functionality should be available for a domain name no matter whether its data is stored in a byte slice or a vec or a shared type such as the bytes crate’s Bytes type.

But this mechanism isn’t useful for DNS only. Most networking protocols involve encoding data into and decoding it from a sequence of bytes and benefit from code that is independent of how these sequences are stored. That is why we have forked this code into its own crate, called octseq and made it available via crates.io. An immediate beneficiary of this work is routecore, our library with building blocks for BGP routing.

As this is a rather abstract and tricky concept, we'll work on documention with examples for both DNS and BGP, along with a blog post to explore the topic a little further.

🗞 From the News Desk

  • 🧮 In our ongoing series on eXpress Data Path (XDP), Luuk explores DNS Telemetry.
  • 📚 In the latest release of our DNS library ldns, we added functionality for parsing and printing of EDNS(0) options.
  • 🚀 The upcoming version of Routinator will have much faster restarts.

Thanks for reading, until next time!

Love from the NLnet Labs crew