Sign in Subscribe

The Winter 2026 newsletter

Team NLnet Labs

5 min read
The Winter 2026 newsletter
Photo by Joel & Jasmin Førestbird / Unsplash

Welcome to the Winter edition of our quarterly newsletter "Of Trees and Tries"! Snow and ice have not stopped us. Read on to learn about our adventures at FOSDEM and how Cascade is progressing. Feedback is welcome, either at ICANN85 (Maarten), IETF125 (Benno, Willem) or over at our community forum.

FOSDEM

Arya, Philip and Terts were all present at FOSDEM 2026, which was once again a great mix of cool technology, nice people, piles of stickers and lots of waffles.

We gave two presentations at FOSDEM this year. Philip gave a talk in the DNS dev room about the current state of Domain, our DNS library in Rust, and the products we've been building with it. He picked up where Martin left off in 2024, so watching these two talks should give you a pretty good overview. In the Rust room, Terts talked about how our scripting language Roto works under the hood, complementing his EuroRust talk on using Roto in applications.

You can find the slides and recordings in the FOSDEM archives:

Cascade

We’ve been very busy with Cascade! We will release a production-ready version at the end of June; Arya, Jannik, Philip, Terts, and Ximon have been hard at work making that possible. In April, we will cut the first release candidate, 0.1.0-rc1; you can track our progress on GitHub.

We’re incredibly grateful to the Sovereign Tech Agency for sponsoring parts of this work. Thanks to their partnership, we’ve been able to work on a large host of features for our production release: better HSM signing performance, a framework for integration tests, a migration tool from OpenDNSSEC, and much more.

Cascade is in the middle of many large-scale changes as we prepare for production readiness. Arya is overhauling how Cascade stores zone data, making things more deterministic and efficient. Philip is building an incremental signing pipeline from scratch, allowing Cascade to keep zones up-to-date very efficiently. Terts has been improving how Cascade’s components communicate with each other internally. Ximon has been working on easing migration for users of OpenDNSSEC and improving the HSM support. Between these efforts, Cascade is becoming highly reliable and efficient; we’re excited to provide DNS operators with a dependable solution.

Gather at our new forum

We now have a new community forum based on Discourse. You can go there with any questions or comments you have about our products. It has all sorts of goodies such as mail support, RSS feeds and Roto syntax highlighting. Ultimately, this forum will replace our mailing lists, which is why we made sure that using it via e-mail only is still an option.

In the first phase, we have categories on the forum for Cascade, Rotonda, Roto, our RPKI products and some DNS tools such as dnsi and dnst. Unbound and NSD will move to the forum eventually, but are still using the regular mailing lists for now. Once we move those products over as well, their mailing lists will be imported into the forum.

Check out the announcement post for more information.

Moving to Codeberg

Now that our forum has been set up, we can move the focus to where we host our code. We currently rely on GitHub to host and publish our code as well as running our CI, but we've been considering moving away from it for a while. 

We can now tell you that we have chosen Codeberg as an alternative. As a non-profit foundation, Codeberg really resonates with what we stand for. Also, from a geopolitical standpoint, we feel more comfortable hosting our code in the EU. Plus, we’re concerned about the strong push of LLMs into our daily work and would prefer to make our own decisions.

One by one, we will start migrating our projects to that platform. This will be a coordinated (and somewhat slow) process so we can ensure that this migration goes well. In the short term, we will provide GitHub mirrors for anyone relying on those URLs being available and up to date. We have already migrated the first repository: you can find Roto on Codeberg now.

The biggest challenge in this move is porting over our CI. Luckily, we received a pretty beefy server as a donation from a community member (thank you!) that we will use to run Forgejo Actions and Woodpecker on, so we can run all our CI without overloading Codeberg's CI runners.

Of course, we understand the challenges of running a non-profit dedicated to open source software, so to support Codeberg, our organization will apply to become a supporting member of the Codeberg e.V. organization.

Netstack.FM

Arya and Terts appeared on the Netstack.FM podcast, where they talked about both Cascade and Roto. Aside from the history, motivation, and use cases for these products, there were fun tangents regarding performance optimization and zero-copy networking. Give it a listen!

Technology & Policy

  • Maarten worked with ISC, CZ.NIC and NetDEF on a submission to the European Union’s call for evidence for an “open source strategy”. We brought the perspective of our type of non-profit organisations, responsible for the long-term maintenance of the likes of BIND9, Knot, FRR and our DNS and RPKI software. It seems the European Commission has some reading ahead of it; 1658 responses were submitted by companies, non-profits and individuals, making the FOSS strategy the second most popular public consultation in the history of DG CNECT.
  • We are following Brussels’ policy making on the Digital Networks Act (telecoms regulation, net neutrality), Cybersecurity Act (ENISA, certification schemes) and its bundled amendments to NIS2. To share one tidbit from the last one: the European Commission is proposing to remove individuals and small organisations up to ‘mid-cap’ size that operate DNS infrastructure from being considered ‘essential entities’ under NIS2. This fixes the current curious reality that running NSD at home makes you an ‘essential entity’ in many EU countries. 

Hot off the press

  • Unbound 1.24.2 has an additional fix for CVE-2025-11411 (possible domain hijacking attack) to include YXDOMAIN and non-referral nodata answers in the mitigation as well. This was reported by TaoFei Guo from Peking University, Yang Luo and JianJun Chen from Tsinghua University.
  • NSD 4.14.1 has reduced memory usage from refactored RDATA storage. We’ve written a blog post, “Smaller, faster: NSD's refactored RDATA storage and compile time memory reduction options”, highlighting these memory reductions.
  • Krill 0.15.1 fixes a bug introduced in release 0.15.0 which causes CAs not to clear certification requests with their parents when they receive a new certificate. It is strongly recommended to upgrade from 0.15.0 to 0.15.1.
  • Krill 0.16.0 can more easily be accessed locally via a Unix socket. We also heard your concerns and reverted back to processing RISwhois data locally.
  • RTRTR 0.3.3 is a small bugfix release that fixes some issues with sending ASPA RTR streams and changes RTR version negotiation to the new scheme introduced in draft-ietf-sidrops-8210bis.
  • Roto 0.10 introduced a List type along with many other fixes and features.
  • Rotonda 0.5.1 features several improvements in the HTTP API, and a fix for running Rotonda with Roto scripts on SELinux-enabled systems. Under the hood, the codebase has undergone a first big cleanup to prepare for a next major release.

See you next quarter for another edition of "Of Trees and Tries"!

Sign up for more like this.

Enter your email
Subscribe