The Spring 2024 Newsletter
Welcome back to our newsletter “Of Trees and Tries”. In this spring edition, we’re excited to share what we’ve been working on and what’s coming up in the world of open-source, open standards and tech policy.
DNS
Benno and Alex started the year by sharing our thoughts on the next five years of DNS at NLnet Labs. It’s a recommended read if you follow our DNS journey or want a sneak preview of the future topics in this newsletter.
‘domain’ library development kicks into high gear
Thanks to the funding we’ve received from the Sovereign Tech Fund, we can have three full-time developers working on expanding the ‘domain’ library for Rust. You can read more about our ‘domain’ plans for this year, as well as our long-term vision for DNS, for which this library forms the foundation. Martin also presented on this project at the FOSDEM conference in Brussels, Belgium.
The ‘domain’ crate now has a basic stub resolver, and we just added caching capabilities. Next up, Ximon will be adding server-side functionality, including the ability to parse DNS zones, store them in memory and make them available for fast querying. At the same time, Philip will work on DNSSEC validation, while Martin has started working on ergonomics around ‘domain’, such as the diagnostics tooling based on the library.
If you want to test ‘domain’ or provide feedback, there is now a DNSDev channel on the DNS-OARC Mattermost server where we can discuss code and implementation details. We’re also documenting some of our findings along the way to share knowledge and help other implementers.
Unbound security releases; now back to features
Over the course of last year, we have been building new features for Unbound that you have all been asking for, such as DNS-over-QUIC, upstream DNS cookies and fast reload. However, as these are rather significant additions to the code base which add several thousand lines of code, they require extra careful review before releasing.
This feature review work got side-tracked because we, along with the rest of the DNS implementer community, were notified of several vulnerabilities that urgently required our attention. Now, with several security and bug fix releases done, our aim is to resume work on completing the review and release of the features we had completed earlier.
Faster zone file parsing in NSD
Meanwhile, we have completed work on our Single Instruction, Multiple Data (SIMD)-capable zone file parser. We’re now maintaining this as a separate open-source project, complete with documentation on Read the Docs, so other implementers can easily benefit from this work. The code has been reviewed thoroughly, and we are now preparing to release our fast zone parser as part of NSD.
Tech Policy
On the EU policy front, both the Cyber Resilience Act and the Product Liability Directive have passed the European Parliament. Though the text is not final, nor published in the official journal of the European Union, text is now stable enough to draw some conclusions for open source. Maarten wrote a reader’s guide to the Cyber Resilience Act’s scope for open source developers. The same post also covers the various sessions he helped co-organise at the first EU policy devroom at this year’s FOSDEM, including a reflection on his 17-month journey to understand the EU's attempt to regulate software with the CRA.
Jaap and Maarten attended ICANN79 in Puerto Rico as members of ICANN’s Security and Stability Advisory Commitee (SSAC). Jaap has been active in that role for over twenty years, Maarten was admitted last summer and has been trying to get up to speed. Examples of ongoing SSAC work are the wrap-up of the “Name Collision Analysis Project” which concerns risk when new labels allocated in the root zone of the DNS were already in use in private networks, and the “Registrar Nameserver Management” working party that looks at solutions to a longstanding issue on the registry/registrar side of the DNS that leads to hijacking risks, as described in a paper by Akiwate et al.
IETF 119 Hackathon
Over the weekend, the IETF 119 Hackathon took place, chaired by Benno, among others. It was an excellent opportunity to discuss and implement new ideas circulating within the IETF. One such intriguing concept gaining traction in the DNS realm is DELEG, a novel mechanism for signalling DNS delegation. Its aim is to facilitate the signallng of various name server capabilities like secure transport, error reporting, new encodings, and more, along with supporting outsourcing operations, name server authentication, and potential future extensions.
At the hackathon, Willem provided valuable feedback to the authors of the current DELEG draft, yielding new insights. Alongside discussions, Willem also contributed code to ldns, enhancing it to translate the new DELEG resource record into the traditional method of delegation using NS records and glue (this functionality is implemented in the ldns-signzone tool). Operators now have the flexibility to choose either method of delegation, as supporting both is not mandatory, unlike the case with IPv4 and IPv6.
🗞 From the News Desk
- We want to thank Tim Bruijnzeels for his contributions to NLnet Labs and wish him all the best on his future endeavours.
- We want to welcome Terts Diepraam to the NLnet Labs family as software engineer! Terts is another true Rustacean on the team, and his experience includes maintaining uutils.
- To celebrate Valentine’s day, we paid tribute to our package maintainers.
- We are now a happy customer of mailbox.org based in Berlin, Germany, for our e-mail inbox needs. Next up is entrusting the hosting of our mailman mailing lists to a similarly trustworthy player.
- The end of 2024 marks 25 years of NLnet Labs. To be continued...
Thanks for reading, until next time!
Love from the NLnet Labs crew