A collection of 40 posts
RRL SLIP and Response Spoofing
By Wouter Wijngaards The recent disclosure by ANSSI (CVE-2013–5661) notes problems with RRL Slip and response spoofing. This document explains explains the tradeoffs. Other documents with advice: * French announcement from ANSSI: http://www.certa.ssi.gouv.fr/site/CERTA-2013-AVI-506/index.html * Dutch vuln announcement: https://www.ncsc.nl/.../NCSC-2013-0597.
NSD4 TCP Performance
By Wouter Wijngaards For NSD 4 the TCP performance was optimised, with different socket handling compared to NSD 3. This article discusses a TCP performance test for NSD 4. In previous blog contributions, general (UDP) performance [http://www.nlnetlabs.nl/blog/2013/07/05/nsd4-performance-measurements/] was measured and memory usage
NSD4 High Memory Usage
By Wouter Wijngaards NSD 4 is currently in beta and we are expecting a release candidate soon. This is the second of a series of blog-posts in which we describe some findings that may help you to optimize your NSD4 installation. In the first article [https://blog.nlnetlabs.nl/blog/
NSD4 Performance Measurements
By Wouter Wijngaards NSD 4 is currently in beta and we are expecting a release candidate soon. This is the first of a series of blog-posts in which we describe some findings that may help you to optimize your NSD4 installation. The article also serves as an explanation for differences
Using PMTUD for a higher DNS responsiveness
By Willem Toorop Motiviation In May 2011 we were notified (from a Japan based enthusiast) that our site wasn’t reachable over IPv6 unless the user lowered the MTU on his machine. This triggered interest in the “Path MTU Discovery black holes” problem  [http://tools.ietf.org/html/rfc2923]
Open Recursor Blocked
By Wouter Wijngaards We have blocked an open recursive DNS nameserver running at NLnet Labs. This was due to abuse traffic, reflected traffic. Two different types of abuse traffic were pointed at this server: * Queries of type ANY for large DNSSEC data. Sporadic bursts of about 3–5 qps, to
NSD 4 migration and features
By Wouter Wijngaards This post describes migration to NSD4 and the new features of NSD4. An overview of the NSD 4 project is here [http://www.nlnetlabs.nl/blog/2012/12/18/nsd-4-0-beta-announcement/]. Migration The old NSD3 config file can be used without changes for NSD4. There are new config
NSD 4.0 Beta: NSD4 sees the light..
By Wouter Wijngaards We are proud to announce a beta version of NSD4.0. With this beta release NSD4.0 is feature complete. Earlier [https://www.nlnetlabs.nl/blog/2012/09/14/nsd4-features/] we described our high-level plans with NSD4; below we describe the features that are available in NSD4.
DNS Response Rate Limiting as implemented in NSD
By Wouter Wijngaards (Note 10 Oct 2012: Rate limiting is worked on at this time, and is being tested, it is not available in NSD production code yet). (Update 10 Dec 2012 : changed title to indicate it is based on Vixie and Schryver’s work) Rate Limits Rate limiting is
Howto: Add new RRtypes to NSD
People like to put stuff in the DNS. While we could put everything in a TXT record, in general it is better to define a new record type (RRtype). The latest addition is the TLSA record, to support the DANE protocol. The RRtype was added to NSD just one day after the RFC was published.
By Wouter Wijngaards NSD 4 is under development. The plan is to improve NSD 3 with a number of new features. The main goals are: * More dynamic configuration support * High number of zones supported * It stays the lean and mean, typical secondary authoritative DNS server that you know it for.