The Next Five Years of DNS at NLnet Labs

The Next Five Years of DNS at NLnet Labs
Photo by Dan Asaki / Unsplash

2024 marks 25 years of NLnet Labs. We have delivered on our mission to make the domain name system (DNS) more dependable and trustworthy, and we are full of ambitions for the future. 

DNS standards and operations have evolved significantly in the last decades as technology advances and increasingly sophisticated threats arise, resulting in greater complexity and challenges for developers and operators. These changing needs affect the strategy for our DNS product portfolio. In this article, we'll outline our plans for the next five years.

By Alex Band and Benno Overeinder

DNS is Everything Everywhere All at Once 

Every interaction on the Internet starts with establishing a connection using a domain name, such as the Internet address you enter in the address bar of your web browser, the email address you specify, or the unseen name used to play your favourite show on a streaming service.

As one of the most critical components of the Internet’s global infrastructure, the DNS plays a central role in enabling seamless communication between content consumers and providers. Consequently, DNS standards and operations have evolved significantly since the protocol was established in the 1980s, as technology advances and increasingly sophisticated threats arise. This changing landscape has created greater complexity and challenges for developers and operators.

These evolving requirements continue to influence our vision for DNS and the strategy for our products. NSD, our authoritative nameserver, and OpenDNSSEC, our DNSSEC signing solution, have clear use cases and target audiences, which makes maintenance and development clear and well-scoped. On the other hand, Unbound’s enormous success and ever-increasing potential use cases have profoundly affected our recursive resolver’s scope, size and maintainability. 

This reality sets the stage for the research and development and our work on open standards that we intend to do in the next five years.

Our Vision for the DNS

We want to ensure that Unbound remains a robust and reliable resolver at the core. Carefully managing the ever-expanding feature set should help that goal. At the same time, we strongly desire to fulfil the needs of DNS operators who must express their business logic and traffic engineering requirements. Instead of continuing to add new functionality to our existing resolver, we see an opportunity to build new, tailored solutions to address the requirements of operators large and small.

At the same time, NLnet Labs has the vision of making connectivity based on secure and private name resolution the default in all applications. Rather than go through the separate steps of establishing a safe, possibly encrypted and authenticated connection between a user and a content provider, we want to provide developers with high-level functionality to establish communications with the highest possible security and privacy guarantees.

NLnet Labs handles DNS complexity,
so you don’t have to.

For example, where software developers currently have to implement a significant number of steps to set up a connection to perform a DNS lookup—open an IPv6 connection and fall back to IPv4 if needed, establish a TLS encrypted session on top of the link, and if possible, authenticate the remote endpoint using DANE (DNS Authentication of Named Entities)—we aim to provide a single function call to achieve all of this. We call this "connect-by-name".

Connect-by-name isn’t just a theoretical concept. We developed several prototype libraries capable of supporting Happy Eyeballs, DANE authentication, selecting DNS upstreams, and limited support for SVCB/HTTPS. This work was funded by the NGI Zero Discovery Fund as part of the Next Generation Internet initiative.

Our Vision for the Trustworthiness of Our Software 

With NSD, Unbound, OpenDNSSEC and tool-building libraries such as ldns, NLnet Labs offers a comprehensive open-source DNS product portfolio. All these packages are written in the C programming language, which was the logical choice when these projects started and still serves us well.

In 2018, we started a Friday afternoon project called 'domain', a DNS library written in Rust, to learn what using memory-safe languages could mean for us and the industry. Our experiences were very positive right from the start. Rust offers a healthy and vibrant developer ecosystem, a rich type system, and an ownership model that guarantees memory and thread safety. These characteristics enable developers to eliminate many classes of bugs at compile-time. As such, we decided that Rust would be an excellent choice for our greenfield projects in routing security that we kicked off in 2019: Routinator and Krill.

With over six years of experience developing in Rust, resulting in software that is deployed globally in critical infrastructure, NLnet Labs will put a dedicated team of developers on making our vision for DNS a reality using a modern, memory-safe language.

Our Ambitions and Objectives

First and foremost, NLnet Labs is committed to the stable maintenance of our core products: NSD, Unbound and OpenDNSSEC. Some of our ancillary DNS tooling, such as ldns, can be regarded as feature complete and no longer require active development, freeing up the required resources for our objectives going forward.

Over the next five years, we will simplify the job of developers by taking on the responsibility of providing connect-by-name functionality in a well-established library. A similar concept already exists in frameworks for macOS/iOS and .NET environments, but none is available for open-source operating systems. 

Our first objective is to expand the domain DNS library, enabling developers to build software that caters to the needs of the modern Internet, from applications on small embedded devices to large-scale server farms. Through their use of our library, we will spur the adoption of secure and private defaults that are often not or suboptimally deployed because they are too hard to do well.

We strive to be an enabler of modern best practices through established and emerging open standards, as well as memory-safe implementations. What Let’s Encrypt achieved with the worldwide adoption of TLS on the server side, we want to bolster with secure name resolution.

Our second objective is to offer a fine-grained method of connecting customers to how DNS is resolved. The era where a recursive resolver just needed to translate a domain name into an IP address is long behind us. Nowadays, organisations rely on DNS to gain meticulous control over what services are offered and where they are hosted while also considering environments with stringent regulatory demands. Consider today's content delivery networks and cloud providers that need to instantaneously run services spanning multiple domains in the order of milliseconds to deliver these services to their end users.

We will allow users to express their business logic and traffic engineering requirements through a dedicated policy description language, for example, to make decisions based on interface, source address, and other variables, and then feed the result into a robust resolver implementation.

As the Internet continues to grow, the number of domain names in a single zone requires ever-increasing capacity. We want operators to achieve more with less hardware and a smaller energy footprint.

Our third objective is to provide industry-leading performance in authoritative DNS, leveraging the capabilities of modern CPU architectures, multi-threading technologies, and current advancements in network data processing, such as Express Data Path (XDP). We intend to provide robust and flexible means of storing and managing zone files for provisioning DNS.


As we ramp up to our 25th anniversary, 2024 will be a pivotal year for NLnet Labs, laying the foundation for the next five years of DNS solutions. Being a Public Benefit Organisation, all software will be free, open-source and with a liberal license.

Our ambition is to augment our existing DNS projects with new solutions. Our newly developed tooling allows our recursive resolver Unbound to focus on the primary task of Internet-wide resolving with a clear separation of operator-specific business logic. OpenDNSSEC will continue to be the enterprise DNSSEC signing solution with a rich feature set that top-level domain operators require. Lastly, NSD will be further enhanced to remain the leading performant authoritative DNS server.

Throughout this process, we will actively collaborate with the DNS operator and implementer community to validate the effectiveness of our solutions. If needed, we will bring work to the Internet Engineering Task Force (IETF) to standardise new protocols for interoperability, or extend existing standards.

In the next article we’ll dive into the domain DNS library milestones that our development team will deliver in 2024.