NLnet Labs

NSD 4.14.1 released

2026-02-24T12:00:00+01:00

Today, we released version 4.14.1 of the authoritative DNS nameserver NSD.

The previous release promised reduced memory footprint from refactored RDATA storage (and it did for the vast majority of cases), but just after the release, we received a report that NSD was consuming more memory for specific kind of zones (with RRsets consisting of many RRs). This release has that addressed so that NSD now consumes less memory in all cases and circumstances. A blog post highlighting these memory reductions is available at:

https://blog.nlnetlabs.nl/smaller-faster-nsds-refactored-rdata-storage-and-compile-time-memory-reduction-options/

Other than that, this release contains bug fixes, among others some that emerged with the new RDATA storage code from the previous release.

You can get source packages of this version from the downloads page.

Related links:

Krill 0.15.1 ‘Contains Adult Language’ Released

2026-01-19T15:00:00+01:00

We have just published the latest release of Krill, versions 0.15.1 ‘Contains Adult Language.’

Krill is a daemon for running delegated RPKI, featuring a Certificate Authority and a publication server that allows you to create and publish signed statements about routing intent.

This release fixes a bug introduced in release 0.15.0 which causes CAs not to clear certification requests with their parents when they receive a new certificate. This causes the CA to re-request a new certificate every time it contacts the parent which by default happens once a day. Another consequence is that this blocks key rolls from progressing.

Because of these issues, we strongly encourage users of Krill 0.15.0 to upgrade at their earliest convenience.

Related links:

Rotonda 0.5.1 released

2026-01-09T14:00:00+01:00

We are delighted to announce a new minor release of Rotonda, version 0.5.1.

Rotonda is a programmable, analytical BGP engine, that allows users to gather routing data from various sources, such as routers, routing software and files, and over various protocols, such as BMP, BGP and MRT. Rotonda collects this information in an in-memory database.

This release adds some features to the HTTP/JSON API.

There have been some smaller changes and improvements. The full list of changes is available in the release notes.

Related links:

New OpenPGP keys for release signing and vulnerability reporting

2025-12-09T15:00:00+01:00

We are performing a routine roll of our software signing and vulnerability reporting OpenPGP keys.

From January 1st 2026, releases of ldns, NSD and Unbound will be signed with the following OpenPGP key:

User ID: NLnet Labs releases signing key G2 <[email protected]>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419  146A A144 323D EAAC DF45

The new key is available from https://nlnetlabs.nl/signing-keys.

Effective immediately, our security entry point to report security vulnerabilities will switch to the following OpenPGP key:

User ID: NLnet Labs security G2 <[email protected]>
Key ID: BAE5 570A 6390 ADE6
Fingerprint: 9461 F444 EAC6 A4FE E985  BEC6 BAE5 570A 6390 ADE6

This key is available from https://nlnetlabs.nl/security-report.

NSD 4.14.0 released

2025-12-04T12:00:00+01:00

Today, we released version 4.14.0 of the authoritative DNS nameserver NSD.

NSD 4.14.0 comes with refactored RDATA storage, reducing the memory footprint of NSD.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.24.2 released

2025-11-26T00:00:00+01:00

We are pleased to announce the release of version 1.24.2 of the Unbound recursive DNS resolver.

This security release provides an additional fix for CVE-2025-11411.

Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. If a malicious actor is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache for the delegation point.

Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.

Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies as well, mitigating the possible poison effect.

We would like to thank TaoFei Guo from Peking University, Yang Luo and JianJun Chen from Tsinghua University for discovering and responsibly disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.

For a full list of changes, binary and source packages, see the download page.

Related links:

Unbound 1.24.1 released

2025-10-22T00:00:00+02:00

We are pleased to announce the release of version 1.24.1 of the Unbound recursive DNS resolver.

This security release fixes CVE-2025-11411.

Several multi-vendor cache poisoning vulnerabilities have been discovered in caching resolvers for non-DNSSEC protected data.

Unbound is vulnerable for some of these cases that could lead to domain hijacking.

Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.

We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University for discovering and responsibly disclosing the vulnerability.

For a full list of changes, binary and source packages, see the download page.

Related links:

Routinator 0.15.1 ‘Ain’t No Country Club Either’ released

2025-10-07T15:00:00+02:00

We are pleased to announce the latest release of Routinator, version 0.15.1 ‘Ain’t No Country Club Either.’

Routinator is an RPKI relying party software that collects and validates statements in the Resource Public Key Infrastructure (RPKI) about allowed route origins and makes them available to the BGP workflow.

This release fixes two issues that surfaced in 0.15.0.

The new optimistic initial validation run succeeded even if no trust anchor certificates were stored for a TAL because this is the expected behaviour for a regular validation run. This would result in the data for this trust anchor missing in the first data set produced. This is now fixed: if there are not stored trust anchor certificates for a TAL, the initial run is aborted and a normal run is started.

Additionally, when we added additional restrictions to the systemd unit files shipped with the binary packages, we added PrivateUsers=yes. This has the somewhat unexpected side effect that Routinator couldn’t bind to privileged ports, i.e., ports below 1024, for the RTR or HTTP servers. This release thus removes this setting from the unit files.

Related links:

Cascade 0.1.0-alpha ‘Globen' released

2025-10-07T11:00:00+02:00

We are pleased to announce the first release of Cascade, version 0.1.0-alpha ‘Globen’.

Cascade is a purpose-built, standalone DNSSEC signer, shaped by the real-world demands of TLD operators. Written from the ground up in Rust for safety, stability and speed, Cascade will be the next generation DNSSEC signing solution. For 15 years OpenDNSSEC served the DNSSEC community as a trusted DNSSEC signer. With the end-of-life announcement of OpenDNSSEC the future begins here with Cascade, a DNSSEC signer updated for a new era of DNSSEC signing.

As an alpha release please do not use this in production. Our goal with this release is to enable operators to try out Cascade and to gather feedback. With a first production ready version expected in the first half of 2026, your feedback is key and will shape the development of Cascade as we steam ahead.

From the start we are offering packages for installation on major operating systems and documentation to guide you. Cascade is a work-in-progress but is already capable of signing to match your workflow including automatic or manual key rollovers, built-in approval gates that let you run your own scripts to prevent a bad zone escaping into the wild, and with support for both on-disk and HSM signing keys.

And of course as with all our products we will offer paid support contracts for Cascade whether to help you migrate or be there if you need us.

Read all about the vision behind Cascade in our earlier blog post, and get started today with our packages and documentation. If the documentation doesn't answer your question or give you the guidance you need, keep checking back, Cascade is being actively developed and documented. Even better, let us know what we're missing by opening a GH issue or sending an email to [email protected]">[email protected] and we'll get right on it.

To try out Cascade right now follow the installation instructions in the manual.

Related links:

End-of-Life Roadmap for OpenDNSSEC

2025-10-03T14:00:00+02:00

We would like to inform our users and the wider DNS community about the planned End-of-Life (EOL) timeline for OpenDNSSEC. Operators are encouraged to start planning replacement. We will offer Cascade, a new DNSSEC signer, as a drop-in successor.

OpenDNSSEC has served the community for many years as a trusted DNSSEC signer. Since its first release in 2010, it pioneered automated DNSSEC key management and zone signing, and inspired other software projects to adopt similar functionality. Over time, however, operational requirements and best practices have evolved. The architectural choices made more than 15 years ago now make it increasingly difficult to maintain and extend OpenDNSSEC. We have decided that our resources and development efforts are better focused on building the next generation of DNSSEC signing solutions.

To ensure we continue to provide a reliable, modern, and efficient DNSSEC signing solution, we are developing Cascade, our new DNSSEC signer.

Timeline

3 October 2025 (today): Formal announcement of OpenDNSSEC End-of-Life.
October 2025 – October 2027:
- Ongoing support for OpenDNSSEC.
- Critical bug fixes and security updates.
- No new features will be developed.
October 2027: OpenDNSSEC reaches its official End-of-Life. No further updates or support will be provided.

Transition to Cascade

We encourage users to begin evaluating Cascade, our upcoming DNSSEC signing solution:

Alpha release available: October 2025
Production-ready release: First half of 2026

Cascade is being developed as a modern, efficient, and maintainable DNSSEC signing solution [1]. It builds on our experience with OpenDNSSEC while offering a stronger foundation for the future.

Before writing a single line of code for Cascade, we interviewed 16 Top Level Domain operators and other members of the DNS community about their requirements and wishes. You can read more about this in the linked article [2].

One of the key takeaways from these interviews is the desire to have a purpose-built, standalone DNSSEC signer, rather than a full authoritative server with signing capabilities. The result is an architecture that offers flexible deployment, sensible defaults, tight control over the signing process and, most of all, observability — ensuring you will know what the pipeline is doing and why, and what you can expect to happen next. Lastly, a key part of the project is offering comprehensive documentation [3] and an easy migration path from OpenDNSSEC to Cascade, with guidance and support services available from the first release onward.

We will present the Cascade prototype and give a live demo at the OARC 45 meeting on Tuesday, 7 October [4].

We sincerely thank the community, contributors, and users who have supported and improved OpenDNSSEC over the years. Your trust and feedback have been invaluable, and we hope the alpha release of Cascade offers a starting point for continuing this collaboration.

Contact and Resources

For questions, bug reports, or support:

[email protected]">[email protected]

Related links:

Rotonda 0.5.0 ‘Mosaïque Public’ released

2025-09-30T21:00:00+02:00

We are delighted to announce a new release of Rotonda, version 0.5.0 ‘Mosaïque Public’.

This release introduces a new version of roto, that can use more data from the context of the BMP/BGP sessions.

The HTTP api is redesigned to be more consistent and feature more endpoints. Filters for the HTTP API can be based on user-degined roto functions.

Also, in roto scripts, a new metrics object is introduced, enabling user-defined counters/gauges for the /metrics Prometheus endpoint.

There have been some smaller changes and improvements. The full list of changes is available in the release notes.

Related links:

Routinator 0.15.0 ‘This Ain’t No Disco’ released

2025-09-30T15:00:00+02:00

We are pleased to announce the latest release of Routinator, version 0.15.0 ‘This Ain’t No Disco’

Perhaps the most visible change in this release is that by default there will be significantly less information logged.

We’ve seen regular questions by users who aren’t intimately familiar with the inner workings of RPKI and got worried by messages about expired certificates etc., not realising that they are all normal and there is nothing they can or should do about it.

Starting with this version, Routinator will not log these messages any more but rather collect them and make them available in the status HTTP endpoints. We also structure them by repository or publication point, so it will be much easier to see what exactly went wrong, for instance, when fetching an RRDP repository.

If you don’t like this new behaviour and would rather see everything logged as previously, the new log-repository-issues command line and config file option will allow you to switch back.

In addition, we’ve done quite a few performance improvements. When Routinator is started in server mode, it now first does an “optimistic” intial run. It will only use stored data from previous runs and thus have a data set available within a few dozen seconds. In order to avoid accidentally creating an incorrect dataset, it will abort this initial run if data is requested that hasn’t been requested previously, e.g., because a TAL was added, and start a regular validation run.

We also changed the defaults for RRDP timeouts which allows Routinator to discover non-responsive RRDP servers much quicker. This roughly halved update durations in our tests.

As always, there are an number of additional improvements and fixes in this release. You can read all the details in the release notes

We would like to thank Zizhi Shang, Zhechao Lin, Jiahao Cao, Yangyang Wang, Mingwei Xu of the Institute for Network Sciences and Cyberspace (INSC), Tsinghua University as well as Niklas Vogel of Goethe University Frankfurt and ATHENE for reporting issues fixed in this release.

In case you are using our binary packages, with this version we added packages for recently released Debian 13 and RHEL. They will be available via our package repository.

Finally, we have added a threat model to the documentation, in which we describe the security assumptions Routinator's design is based on.

Related links:

Unbound 1.24.0 released

2025-09-18T10:00:00+02:00

We are pleased to announce the release of version 1.24.0 of the Unbound recursive DNS resolver.

This release features increased defaults, num.valops statistic, unbound-control cache_lookup, and bug fixes.

The default value increase for num-queries-per-thread is to make saturation of the task queue more resource intensive and less practical. Thanks to Shiming Liu, Network and Information Security Lab, Tsinghua University for the report.

The default value increase for so-sndbuf is to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report.

To help the server start more easily, the setsockopt for sndbuf buffer size prints a warning instead of a failure to start the server if it can not set the buffer size.

Various cache -slabs options are auto-configured if not specified in the config file. It uses a power of two close to the number of threads. When the option is specified in the config file that value is used instead.

An extra statistic is added to track the number of signature validation operations by the validator, num.valops.

The unbound-control cache_lookup command prints cache information for names in the domain given. This prints similar to dump_cache, but only names under the zone(s) specified. Because of that it locks the caches for a much shorter time, and this is good for server responsiveness.

The sock-queue-timeout option is adapted to work on FreeBSD as well as Linux.

For a full list of changes, binary and source packages, see the download page.

Related links:

NSD 4.13.0 released

2025-09-03T15:00:00+02:00

Today, we released version 4.13.0 of the authoritative DNS nameserver NSD.

NSD 4.13.0 now comes with the features --enable-bind8-stats, --enable-zone-stats, --enable-ratelimit, --enable-dnstap enabled by default, reducing confusion when using the same version of NSD packaged by different distributions with different configure options.

Additionally, NSD 4.13.0 contains experimental support for AF_XDP sockets as described in an earlier post that can be enabled using the --enable-xdp configure option.

You can get source packages of this version from the downloads page.

Related links:

Krill 0.15.0 ‘But I Digress’ Released

2025-08-12T15:00:00+02:00

We are pleased to announce the release of Krill, versions 0.15.0 ‘But I Digress.’

Krill is a daemon for running delegated RPKI, featuring a Certificate Authority and a publication server that allows you to create and publish signed statements about routing intent.

This release primarily contains a lot of changes under the hood – refactoring of code and update of dependencies – most of which shouldn’t be visible to users. There are, however, two breaking changes that may be important.

First, we refactored command line parsing of the krillc and krillta tools. As a result, the options that are common to all subcommands have shifted to before the subcommand. This concerns the --server, --token, --format and --api options. If you have written scripts that use krillc or krillta, you may have to adjust them.

Secondly, the configuration for multi-user authentication with OpenID Connect has changed. We unfortunately had to do this because a library we have been using has not been updated in a long time and doesn’t work any more. The good news is that we think the new scheme is much simpler and configuration should be easier. It is, however, not quite as flexible as the old scheme. If the new scheme doesn’t work for your use case, please let us know!

More details of the new OpenID Connect configuration can be found in the manual.

In addition, we have replaced downloading the full RISwhois file for ROA analysis with calls to an API. This will decrease the memory usage of Krill since it doesn’t need to hold the content of the entire file in memory. If you don’t want your Krill to use this API run by us, you can disable the use entirely or run your own version of the Roto API.

Finally, there have been a number of smaller changes. The complete list can be found in the release notes.

Related links:

Unbound 1.23.1 released

2025-07-16T00:00:00+02:00

We are pleased to announce the release of version 1.23.1 of the Unbound recursive DNS resolver.

This security release fixes CVE-2025-5994.

A multi-vendor cache poisoning vulnerability named "Rebirthday Attack" has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., --enable-subnet, AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the send-client-subnet, client-subnet-zone or client-subnet-always-forward options is used.

A malicious actor can then exploit the Rebirthday Attack in two steps. First, send queries to Unbound that would result in segregated ECS outbound traffic from Unbound for a single domain. Second, send non-ECS poisonous replies to Unbound trying to guess the DNS transaction ID before the real answer from the upstream name server arrives.

Unbound version 1.23.1 includes a fix that disregards replies that came back without ECS when ECS was expected. Instead it creates a non-ECS sub query, that could be aggregated with other such queries, to explicitly query for the non-ECS authoritative answer. The re-introduced query aggregation then defeats the Rebirthday Attack.

We would like to thank Xiang Li (AOSP Lab, Nankai University) for discovering and responsibly disclosing the vulnerability.

For a full list of changes, binary and source packages, see the download page.

Related links:

Rotonda 0.4.1 ‘Melolontha²’ released

2025-05-20T14:30:00+02:00

We are delighted to announce a new release of Rotonda, version 0.4.1 ‘Melolontha²’.

Rotonda uses a strongly typed, compiled language, called roto for filtering and creating policies, among others. We're proud to see our roto featured on the front page of Hacker News!

This release introduces two new roto filters that can act on RPKI Route Origin Validation information from an RPKI validator, like Routinator or rpki-client.

In the roto filter language users can now specify lists of ASNs that are compiled in the filter.

There have been some smaller changes and improvements. The full list of changes is available in the release notes.

Related links:

RTRTR 0.3.2 ‘Based on a True Story’ released

2025-05-06T17:00:00+02:00

We are happy to announce the latest release of RTRTR, version 0.3.2 ‘Based on a True Story.’

RTRTR is a tool to collect RPKI data from one or more sources in multiple formats and dispatch it onwards. It provides the means to implement multiple distribution architectures for RPKI such as centralised RPKI validators that dispatch data to local caching RTR servers.

This version adds support for ASPA to the RTR and JSON units and targets.

In addition, it fixes a number of smaller issues. You can find the full list in release notes.

More information about RTRTR including installation instructions can be found in the new RTRTR Manual.

Related links:

Rotonda 0.4.0 ‘Bold and undaunting Youth’ released

2025-04-24T14:30:00+02:00

We are happy to announce a new release of Rotonda, version 0.4.0 ‘Bold and undaunting Youth’.

This release features a first implementation of the RTR component, that allows Rotonda to receive Route Origin Validation information from RPKI validator software, like Routinator, or rpki-client.

Furthermore, this release uses a new version of Roto (the Rotonda filter programming language) compiler, which features a module system, and optional types.

Internally, preparations have been made to start storing routing information both in-memory and on-disk. Stay tuned.

There have been many smaller changes and improvements. The full list of changes is available in the release notes.

Related links:

NSD 4.12.0 released

2025-04-24T10:30:00+02:00

Today, we released version 4.12.0 of the authoritative DNS nameserver NSD.

This release introduces Prometheus metrics that can be configured with enable-metrics (see nsd.conf(5)).

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.23.0 released

2025-04-24T10:00:00+02:00

We are pleased to announce the release of version 1.23.0 of the Unbound recursive DNS resolver.

This release features changed defaults, fast reload, redis replica, DNS Error Reporting, and bug fixes.

The fast reload is a feature that is listed as experimental. With unbound-control fast_reload the server can read the new config in a thread, and when done only briefly pauses the server to update the settings. This uses double memory, for like zones from disk or config that is loaded. It only pauses the server, for like less than a second, so DNS service is not interrupted by the reload of config. A lot of config items can be changed, but not all. It has options to print more information, or memory usage, and there is a list of config options in the man page.

The redis replica support allows for a redis backend to use a redis replica. The read commands are sent to the redis replica host, while the write commands are sent to the redis server. So with several replicas there can be more readers that all write to the redis server.

With DNS error reporting, RFC9567, enabled with dns-error-reporting: yes, this uses the error reporting agent to send failure reports to. The number of error reporting queries is output in the statistics as num.dns_error_reports.

Some defaults are changed in this release. The resolver.arpa. and service.arpa. zones are added to the default locally served zones, this can be disabled with a nodefault local zone. The default for max-global-quota has changed to 200, after operational feedback. The defaults from RFC8767 are used by serve-expired-client-timeout on 1800 milliseconds and serve-expired-ttl on 86400 seconds. If Unbound is compiled with edns subnet, the default for module-config is no longer altered, so that compilation with subnet does not interfere when the server does not use subnet. When edns subnet needs to be enabled, module-config: "subnetcache validator iterator" should be explicitly set as configuration in the server: section.

If edns subnet is enabled, the default for module-config is no longer altered, so that compilation with subnet does not interfere when the server does not use subnet. When edns subnet is in use, also module-config: "subnetcache validator iterator" should be set as configuration in the server: section.

The RC2 has fixes for building on Solaris and portability to Windows, and fixes a memory leak for DoH.

For a full list of changes, binary and source packages, see the download page.

Related links:

The Phone Book of the Internet

2025-04-01T12:00:00+02:00

In light of a recent motion of the Dutch parliament [1], keeping with the trend of internet centralisation and considering the general state of the world [2], we are bringing the full DNS chain to a doormat close to you*. (Re-)introducing [3] The Phone Book of the Internet.

Whenever something doesn't work, it's generally the DNS [4]. Modern organisations need a contingency plan for when that happens. We resolved the A-records of domain names you probably want to use, resolved them for you, and compiled them into a convenient^{[citation needed]} booklet that can be used fully locally, even without power. Think of it as a bound version of Unbound.

And when the domain name you need is not in the booklet, you can always call our DNS resolver on +31 (0)85 369 5573.

Download your copy of the Phone Book of the Internet here

* We now have printing facilities: buy it here (sold effectively at cost) or get the source files yourself here.

Routinator 0.14.2 ‘Roll Initiative!’ released

2025-03-04T15:00:00+01:00

We are pleased to announce the latest release of Routinator, version 0.14.2 ‘Roll Initiative!’

This release updates the bundled Routinator UI package to version 0.4.5 which fixes an issue that caused the UI to fetch its data from NLnet Lab’s test installation rather than the actual Routinator instance it belongs to.

If you are using the bundled Routinator UI via the web interface, we suggest to upgrade to this version to access your own validated data.

Related links:

Routinator 0.14.1 ‘Black Cats and Voodoo Dolls’ released

2025-01-22T15:00:00+01:00

We are pleased to announce the latest release of Routinator, version 0.14.1 ‘Black Cats and Voodoo Dolls.’

This release fixes a crash when the file names of a manifest’s file list contain illegal characters. The issue has CVE-2025-0639 assigned. We would like to thank Haya Schulmann and Niklas Vogel of Goethe University Frankfurt/ATHENE Center for notifying us about this vulnerability.

In addition, the release improves the memory consumption of the new RRDP storage introduced in version 0.14.0 which tended to grow rather large over time. It should now end up with much less overhead. We will continue to keep an eye on how it develops long term and do further tweaks if necessary.

Further, standardisation of ASPA has progressed far enough in the IETF that we feel comfortable to include it in Routinator. You still have to explicitly set enable-aspa: true in your config file or use the --enable-aspa command line option to actually enable it.

Back in version 0.10.2 we disabled GZIP support for the RRDP collector as there were multiple issues with malicious GZIP files leading to memory exhaustion. We have now implemented a number of counter-measures that make us confident to re-enable support.

As always, there have been many smaller changes and improvements. The full list of changes is available in the release notes

Related links:

NSD 4.11.1 released

2025-01-18T12:00:00+01:00

Today, we released version 4.11.1 of the authoritative DNS nameserver NSD.

NSD version 4.11.0 had a serious bug in which applying updates to zones (and other modifications that require a reload, such as adding and deleting zones), could stop entirely after reception of a broken or corrupted update via zone transfer. We believe that this broken state would appear as one of the NSD processes consuming 100% CPU. Version 4.11.1 has this corrected as well as some other smaller non-critical bugs.

Many thanks to the people at SUNET and netnod (Fredrik and Arvid and all the others) that helped us to get to the bottom of this critical issue!

You can get source packages of this version from the downloads page.

Related links:

NSD 4.11.0 released

2024-12-12T12:00:00+01:00

Updated 2025-01-18: THIS VERSION HAS A SERIOUS BUG. Please upgrade to NSD 4.11.1 at the earliest opportunity.

Today, we released version 4.11.0 of the authoritative DNS nameserver NSD.

Version 4.11.0 sees various small features and bugfixes.

One notable feature is that configuration can be reloaded and evaluated on SIGHUP, when enabled with the new "reload-config" option. Also, DNS cookie secrets will be reevaluated from config too.

One notable bugfix is to process and apply non transfer tasks before transfer tasks during reloads. Before, non transfer tasks (such as adding or deleting zones) would be lost when batched together with a transfer task that would fail to apply.

You can get source packages of this version from the downloads page.

Related links:

Rotonda 0.2.0 ‘Happy Fuzzballs’ released

2024-11-21T16:30:00+01:00

We are super happy to announce a new - the second - release of Rotonda, version 0.2.0 ‘Happy Fuzzballs’.

Rotonda is a programmable, analytical BGP engine, that allows users to gather routing data from various sources, such as routers, routing software and files, and over various protocols, such as BMP and BGP and collect them into an in-memory database.

This release is for the most part a refactor of large parts of the internals of Rotonda, resulting in increased performance, and a greatly reduced memory footprint.

One notable improvement is the replacement of the Roto (the Rotonda filter programming language) compiler and virtual machine with a compiler that compiles Roto code down to machine code. Roto source code can be compiled by a running Rotonda application and can be inserted into the hot-path of the data flow. This new compilation process greatly improves performance.

A new (but still experimental) feature is the possibility to import mrt files, and load them into the in-memory database.

There have been many smaller changes and improvements. The full list of changes is available in the release notes.

Related links:

Unbound 1.22.0 released

2024-10-17T11:00:00+02:00

We are pleased to announce the release of version 1.22.0 of the Unbound recursive DNS resolver.

This release has an option to harden against unverified glue, it is enabled with harden-unverified-glue: yes. It was contributed by Karthik Umashankar from Microsoft. This protects Unbound against bad glue, that is out of zone, by performing a lookup for it. Because it uses the original information as a last resort if nothing works, it should not give lookup failures, and add protection.

There are options to configure the scrubbing for NS records and the CNAME scrubbing and the max global quota lookup limit from previous security fix releases. They can be configured with the options iter-scrub-ns, iter-scrub-cname and max-global-quota.

For redis use, with cachedb, it is possible to specify the timeout for the initial connection separately from the timeout for commands. With the options redis-command-timeout: 20 and redis-connect-timeout: 200 they can be set separately, for a longer connect attempt, but a short command timeout to keep resolution faster.

It is possible to log with ISO8601 format with log-time-iso: yes this also logs time in milliseconds. Useful if the server writes to file, syslog may have its own format.

DNS over QUIC is support is added, if compiled with libngtcp2 and with the openssl+quic that it uses. Use --with-libngtcp2 for that, and enable it with quic-port: 853. There is a post about it on https://blog.nlnetlabs.nl/dns-over-quic-in-unbound [that is to appear after the release].

For a full list of changes, binary and source packages, see the download page.

Related links:

Unbound 1.21.1 released

2024-10-03T00:00:00+02:00

We are pleased to announce the release of version 1.21.1 of the Unbound recursive DNS resolver.

This security release fixes CVE-2024-8508.

A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for.

Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks.

Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long.

This change should not affect normal DNS traffic.

We would like to thank Toshifumi Sakaguchi for discovering and responsibly disclosing the vulnerability.

For a full list of changes, binary and source packages, see the download page.

Related links:

Unbound 1.21.0 released

2024-08-15T10:00:00+02:00

We are pleased to announce the release of version 1.21.0 of the Unbound recursive DNS resolver.

This release has a fix for the CAMP and CacheFlush issues. They have a low severity for Unbound, since it does not affect Unbound so much.

The Compositional Amplification (CAMP) type of attacks can lead to DoS attacks against DNS servers. In Unbound legitimate client requests to the resolvers under typical workload are not directly affected by CAMP attacks. However we introduce a global quota for 128 outgoing packets per query (and it's subqueries) that is never reset to prevent the combination of CAMP with other amplification attacks in the future. We would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich for discovering and notifying us about the issue.

The CacheFlush type of attacks (NSCacheFlush, CNAMECacheFlush) try to evict cached data by utilizing rogue zones and a steady rogue stream to a resolver. Based on the zone, the stream, the configured cache size and the legitimate traffic, Unbound could experience a degradation of service if a useful entry is evicted and Unbound needs to resolve again. As a mitigation to the NSCacheFlush attack Unbound is setting a limit of 20 RRs in an NS RRset. We would like to thank Yehuda Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv University and Reichman University) for discovering and notifying us about the issue.

Other fixes in this release are bug fixes. Also the unbound control commands that flush the cache can clear both the memory and cachedb module cache. The ipset module can use BSD pf tables. The new option dnstap-sample-rate: 100 can be used to log 1/N messages, for use in high volume server environments where the log server does not keep up.

The new DNSSEC key for the root, 38696 from 2024 has been added. It is added to the default root keys in unbound-anchor. The content can be inspected with unbound-anchor -l. Older versions of Unbound can keep up with the root key with auto-trust-anchor-file that has RFC5011 key rollover. Also unbound-anchor can fetch the keys from the website with a certificate if needed.

For cookie secrets, it is possible to perform rollover. The file with cookie secret in use and the staging secret is configured with cookie-secret-file. With the remote control the rollover can be performed, add_cookie_secret, activate_cookie_secret, drop_cookie_secret and print_cookie_secrets can be used for that.

Compared to the RC1, the release has a fix for module loading on Windows, and a spelling correction.

For a full list of changes, binary and source packages, see the download page.

Related links:

NSD 4.10.1 released

2024-08-02T12:00:00+02:00

Today, we released version 4.10.1 of the authoritative DNS nameserver NSD.

Version 4.10.1 consists primarily of bug fixes.

@bilias implemented mutual TLS authentication for zone transfers. Please consult the nsd.conf manual for details on the newly introduced configuration options tls-auth-port and tls-auth-xfr-only.

Michael Orlitzky provided integration for the OpenRC init system.

Version 4.10.0 was the first release to integrate simdzone. Build issues on OpenBSD releases before 5.6, Gentoo and Solaris have been reported and fixed. The fallback parser, used on systems that lack SSE4.2 and AVX2 instruction sets, contained some bugs with regards to state keeping and under certain circumstances a use after free bug was encountered in buffer management.

You can get source packages of this version from the downloads page.

Related links:

Krill 0.13.2 and 0.14.5 Released

2024-06-27T15:00:00+02:00

We are pleased to announce the two releases of Krill, versions 0.13.2 ‘Be kind, rewind’ and 0.14.5 ‘Who dis? New Phone.’

Krill is a daemon for running delegated RPKI, featuring a Certificate Authority and a publication server that allows you to create and publish signed statements about routing intent.

These two releases fix an issue that causes Krill to panic if a CA with multiple parents and children has one of its parents removed, causing the children to try and revoke their certificates for that parent. This is relevant for Krill instances under NIC.br that themselves have children.

In addition, the releases update the HTTP library to avoid a possible denial-of-service attack described in RUSTSEC-2024-0332. If you are exposing Krill’s HTTP server directly to the Internet without a reverse proxy such as Nginx in between, we advise to update at your earliest convenience.

Version 0.14.5 in addition fixes an issue with encoding empty CRLs and empty RRDP deltas as well as a possible freeze when trying to access the RIS data while it is being downloaded. It also adds support for overriding the manifest number for trust anchor CAs.

The complete list of changes can be found in the release notes for 0.13.2 and 0.14.5.

Related links:

Routinator 0.14.0 ‘You Must Gather Your Party Before Venturing Forth’ released

2024-06-20T15:00:00+02:00

We are pleased to announce the latest release of Routinator, version 0.14.0 ‘You Must Gather Your Party Before Venturing Forth.’

For this release, we revamped how Routinator stores the local copy of RRDP repositories. Previously, each object in the repository was stored in its own file on the local file system. Because repositories consist of lots of very small objects, there was always a risk of running out of inodes – resulting in a confusing “No space left on device” error message. Now, we store all the objects in a single file which will avoid running out of inodes and should also save some disk space.

Our friends at Tweede Golf helped us revamp the Routinator UI and rewrote it using React only. While at it we streamlined the build system so it doesn’t require downloading assets during build any more.

This release updates one of our dependencies in response to a security advisory related to the HTTP server. If you are running Routinator allowing direct access to its HTTP server from the Internet (i.e., not with a reverse proxy in between), we suggest to upgrade to this version.

As always, there have been many smaller changes and improvements. The full list of changes is available in the release notes

Related links:

NSD 4.10.0 released

2024-06-13T12:00:00+02:00

Today, we released version 4.10.0 of the authoritative DNS nameserver NSD.

Version 4.10.0 integrates simdzone and drops the Flex+Bison zone parser.

NSD used a Flex+Bison based zone parser since version 1.4.0. The parser served NSD well, but zones have increased in size and zone loading performance has been problematic for some users.

With the integration of simdzone (https://github.com/NLnetLabs/simdzone), performance of loading zones and IXFRs is drastically improved. Quick measurements show improvements ranging anywhere from 3.8x to 1.6x, depending on zone size and database type, though the improvements will be less noticable for NSEC3 zones due to pre-hashing.

simdzone leverages SIMD instructions in modern CPUs to improve throughput. Right now SSE4.2 and AVX2 instruction sets are supported, other instruction sets will use the fallback implementation, which still is a decent improvement over the Flex+Bison based parser.

The release has additional fixes from the release candidate. The parse of lowercase type names is fixed and the x86_64 variable is set to no for other machines.

You can get source packages of this version from the downloads page.

Related links:

RTRTR 0.3.0 ‘Filmed Before a Live Studio Audience’ released

2024-06-06T17:00:00+02:00

We are happy to announce the latest release of RTRTR, version 0.3.0 ‘Filmed Before a Live Studio Audience.’

This version introduces a new "merge" unit that merges the data from all its source units into a single set rather than only using a single source as the "any" unit does now.

In addition, there are more configuration options for the HTTP client used by the "json" unit. This allows for instance to use a proxy for all HTTP request. The "json" unit and target now also support conditional HTTP requests, making it cheaper to check for updates more often.

The RTR timer values can now be configured for the "rtr" target rather than being hard-wired. The "rtr" target now can also produce detailed per-client metrics if enabled similar to what Routinator’s RTR server already does.

Under the hood, there were some architectural changes that should avoid RTRTR sometimes missing the first update during startup.

The complete list of changes available in the release notes.

More information about RTRTR including installation instructions can be found in the new RTRTR Manual.

Related links:

Gezocht: Voorzitter voor de Raad van Toezicht

2024-05-17T17:00:00+02:00

Wij zoeken per 1 juli 2024 een nieuwe voorzitter voor onze Raad van Toezicht (RvT) vanwege het aflopen van de termijn van onze huidige voorzitter.

Over NLnet Labs

NLnet Labs is een stichting, opgericht in 1999. Onze missie is het ontwikkelen van open-source software en open protocolstandaarden voor het internet en het uitvoeren van toegepast onderzoek op deze gebieden. We richten ons specifiek op twee kerncomponenten van het internet: het Domain Name System en het routeringssysteem. Het doel van ons werk is de robuustheid, veiligheid en betrouwbaarheid van het internet te verhogen en de privacy van de gebruikers te waarborgen.

Onze DNS-software wordt gebruikt in de hele internetindustrie, van de DNS root servers in het hart van het internet, tot DNS-servers van Top-Level Domain (TLD) operators en ISPs, tot kleine embedded systems. Dit geldt ook voor beveiligingssoftware voor het routingsysteem die het internet en de netwerken van grote bedrijven helpt beschermen. We durven dan ook wel te zeggen dat de kern van het internet voor een flink deel op onze software draait.

We realiseren onze missie samen met belangrijke internetspelers van over de hele wereld. Voorbeelden zijn de Internet Engineering Task Force Force (IETF), de Regional Internet Registries (RIR's), de Internet Corporation for Assigned Names and Numbers (ICANN), toonaangevende operators van TLD's (Top Level Domains) zoals .nl en .com, de International Standards Organisation (ISO), de Internet Society (ISOC), grote network operators zoals Comcast, devicebouwers zoals Apple en individuele onderzoekers.

NLnet Labs speelt een leidende rol in het promoten van technologieën die het vertrouwen, de veiligheid, privacy en schaalbaarheid verhogen en die bijdragen aan het mondiale karakter van het internet, met name voor het DNS en routing. We pionieren met deze nieuwe technologieën, helpen toekomstige standaarden te definiëren en bouwen prototypes. Onze omgeving ziet ons alom als toonaangevende DNS- en routingexperts en als een belangrijke stakeholder in het ontwikkelen en gebruiken van open standaarden en open software.

We overbruggen daarnaast de kloof tussen de academische wereld en de industrie door deel te nemen aan onderzoeksprojecten en we introduceren oplossingen die zowel praktisch als innovatief zijn. We adviseren over beleidsbeslissingen van internetorganisaties en overheden die van invloed zijn op de veiligheid en privacy van internetgebruikers overal ter wereld en op de stabiliteit van het internet zelf. Onze technische expertise en advies wordt algemeen erkend door beleidsmakers.

Onze ontwikkelaars en onderzoekers vormen samen een 'leane' organisatie van ongeveer 16 mensen, met minimale managementoverhead. We trekken getalenteerde mensen aan die een verschil willen maken voor de veiligheid en openheid van het internet, met een diep geloof in open source en open standaarden.

Topstructuur van NLnet Labs

NLnet Labs kent een eenhoofdig statutaire directie. Het heeft daarnaast een managementteam, waar naast de directeur-bestuurder ook de directeur productontwikkeling (niet-statutaire directeur) deel van uitmaakt.

Taken en verantwoordelijkheden van de voorzitter

De voorzitter heeft tot taak de vergaderingen van de RvT te leiden en is voor de bestuurder en andere betrokkenen het eerst aanspreekpunt binnen de RvT. De voorzitter zorgt ervoor dat de RvT tijdig de juiste inhoudelijke discussies voert en bewaakt tegelijkertijd de sociale cohesie in de RvT. De voorzitter stuurt in discussies op een goede balans tussen risicobeheersing, proces en technische inhoud. De voorzitter coacht en adviseert daarnaast de bestuurder en overlegt regelmatig met de bestuurder buiten de RvT-vergaderingen om, bijvoorbeeld om vergaderingen voor te bereiden of om tussentijds te overleggen over lopende dossiers. De tijdsinvestering van de voorzitter is daarmee hoger dan die van de overige RvT-leden.

Daarnaast vinden we de volgende kenmerken belangrijk:

Ervaring als eindverantwoordelijke in het (semi-) publieke domein
Ervaring met toezichthoudende functies in het private en (semi-) publieke domein
Inzicht en overzicht ten aanzien van de taken en functie van de RvT en bestuurder en de interactie die plaats dient te vinden tussen deze
Bij voorkeur ervaring met non-profitorganisaties en kennis van de internetindustrie

Persoonlijk profiel:

Leiderschap: beschikt over de persoonlijkheid en achtergrond om met autoriteit en natuurlijk gezag de voorzittersfunctie te vervullen en de RvT als geheel goed te laten functioneren. Onderkent de verschillen in belangen, behoeften en persoonlijkheden, verzekert de inbreng van elk der leden en neemt een leidende rol in doordachte besluitvorming van de RvT. Realiseert een doeltreffende samenwerking binnen de RvT en tussen de bestuurder. Handhaaft op consistente wijze algemeen aanvaarde sociale en ethische normen in woord en gedrag. Combineert autoriteit en senioriteit met toegankelijkheid en laagdrempeligheid.
Omgevingsbewustzijn: volgt en kent maatschappelijke ontwikkelingen, nationaal en internationaal, politieke ontwikkelingen en andere omgevingsfactoren. Begrijpt het maatschappelijk en economisch belang van het werk van NLnetlabs en de belangen van de diverse stakeholders. Heeft affiniteit met technologie en internet.
Vertegenwoordiging: beschikt over de eigenschappen en uitstraling om de RvT extern te vertegenwoordigen en een rol in het belang van NLnet Labs te vervullen.
Interactie met bestuurder: is eerste aanspreekpunt voor de bestuurder en coacht de bestuurder waar nodig om de doelen en ambities van NLnet Labs te realiseren, de interactie met de RvT en de bestuurder te helpen zichzelf verder te ontwikkelen.

De voorzitter van de RvT leidt de selectie en benoeming van nieuwe RvT-leden, voert jaarlijkse plannings-, functionerings-, en beoordelingsgesprekken met de bestuurder en leidt de jaarlijkse zelfevaluatie. Deze taken verricht de voorzitter samen met een of meer andere RvT-leden.

Over de RvT van NLnet Labs

De taken van de RvT van NLnet Labs volgen uit de wet, de statuten van de stichting en het reglement van de RvT. De leden van de RvT verrichten hun werkzaamheden in onafhankelijkheid (zonder last of ruggespraak).

De RvT staat de bestuurder terzijde om de ambities en doelstellingen van NLnet Labs te realiseren. De raad houdt toezicht op de algemene strategie, het beleid, de besluitvorming en de algemene gang van zaken, inclusief het functioneren van de organisatie in haar maatschappelijke context. De uitgangspunten daarbij zijn de statuten, het RvT-reglement en het strategisch plan van NLnet Labs.

Onderling vertrouwen tussen de RvT en bestuurder vormt de basis voor het goed functioneren van het bestuderingsmodel.

Algemene kenmerken van de leden raad van toezicht

Met het oog op een goede uitoefening van toezicht op de stichting NLnet Labs en de daaraan verbonden groepsmaatschappijen (in de zin van artikel 2:24b Burgerlijk Wetboek) hebben de leden van Raad van Toezicht (RvT) in ieder geval de volgende kenmerken:

Ruime professionele ervaring (als eindverantwoordelijke), maatschappelijk of binnen hun vakgebied eminent en van onbesproken gedrag.
De meerderheid van de RvT-leden beschikt over ruime bestuurlijke kennis en ervaring op (inter)nationaal niveau, waaronder in ieder geval de voorzitter.
In staat een juist evenwicht te houden tussen betrokkenheid en in de volle breedte van de verantwoordelijkheden toezicht houden op afstand.
Affiniteit met het werkveld, de doelstelling van NLnet Labs en het krachtenveld waarin zij opereert (zie statuten en strategisch plan), het internet, opensource software en ICT in het algemeen.
Richten zich bij de vervulling van hun taak naar het belang van NLnet Labs met in het achterhoofd de belangen van de mondiale, Europese en Nederlandse internetgemeenschap.
Fungeren autonoom ten behoeve van de stichting en stellen het belang van de stichting boven (de specifieke belangen van) een andere partij, groepering of stroming. Leden treden dus uitdrukkelijk niet op als (directe) vertegenwoordigers of afgezanten van een specifieke partij, groepering of stroming. Hebben geen onverenigbare belangen, posities of relaties.
In staat de benodigde tijd en energie te investeren.

Samenstelling en profielschets van de raad van toezicht

De RvT beschikt over een breed pallet aan ervaring, deskundigheid en vaardigheden die relevant zijn voor het werk van NLnet Labs. De leden vormen gezamenlijk een brede en afgewogen afspiegeling van de relevante partijen uit de mondiale, Europese en Nederlandse internetgemeenschap en hun belangen. De RvT heeft zo voldoende specifieke kennis om haar toezichthoudende rol te vervullen en de directie met raad en daad bij te staan.

De leden van de RvT hebben onder andere verstand van DNS en routing, open source software engineering, productontwikkeling, financiën en juridische zaken. Sommige RvT-leden combineren meerdere profielen tegelijk.

Een overzicht van de huidige leden van de RvT staat hier: https://nlnetlabs.nl/organisation/

Vergaderingen

De RvT vergadert 6 keer per jaar: 1 reguliere vergaderingen per kwartaal, een strategiesessie en een zelf-evaluatie. De RvT stelt de data en locaties aan het eind van het vorige kalenderjaar vast.

Ondersteuning

De voorzitter van de Raad van Toezicht wordt bijgestaan door een managementassistent. Deze assistent helpt bij het inplannen van afspraken, voorbereiden van de agenda voor de vergaderingen van de Raad van Toezicht en het bewaken van de planning & control.

Unbound 1.20.0 released

2024-05-08T10:00:00+02:00

We are pleased to announce the release of version 1.20.0 of the Unbound recursive DNS resolver.

This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others, but does not affect Unbound so much.

To mitigate the issue new configuration options are introduced. The options discard-timeout: 1900, wait-limit: 1000 and wait-limit-cookie: 10000 are enabled by default. They limit the number of outstanding queries that a querier can have. This limits the reply pulse, and make Unbound less favorable for the issue. With the config wait-limit-netblock and wait-limit-cookie-netblock the parameters can be fine tuned for specific destinations. More information on the attack and Unbound's mitigations are presented further down.

Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. There are also a number of fixes for RPZ, in handling CNAMEs. There is a memory leak fix for the edns client subnet cache. For DNSSEC validation a case is fixed when the query is of type DNAME. The unbound-anchor program is fixed to first write to a temporary file, before replacing the original. This handles disk full situations, and because of it unbound-anchor needs permission to create that file, in the same directory as the original file. There is also a fix for IP_DONTFRAG, to disable fragmentation instead of the opposite.

The option cache-min-negative-ttl can be used to set the minimum TTL for negative responses in the cache. It complements existing options to set the maximum ttl for negative responses and to set the minimum and maximum ttl but not specifically for negative responses.

The option cachedb-check-when-serve-expired option makes Unbound use cachedb to check for expired responses, when serve-expired is enabled, and cachedb is used. It is enabled by default.

The -q option for unbound-checkconf can be added to silence it when there are no errors.

The DNSBomb vulnerability CVE-2024-33655.

Summary

The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.

Unbound itself is not vulnerable for DoS, rather it can be used to take part in a pulsing DoS amplification attack.

Unbound 1.20.0 includes fixes so the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers.

Affected products

Unbound up to and including 1.19.3.

Description

The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed addresses. When the authoritative answers become available to Unbound at the same time, Unbound starts serving all the accumulated queries. This results into large-sized, concentrated response bursts to the spoofed addresses.

From version 1.20.0 on, Unbound introduces a couple of configuration options to help mitigate the impact. Their complete description can be found in the included manpages but they are also briefly listed here together with their default values for convenience:

discard-timeout: 1900 After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of "old" replies. Legitimate clients retry on timeouts.
wait-limit: 1000 wait-limit-cookie: 10000 Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Clients with a valid EDNS Cookie can have a different limit, higher by default. wait-limit: 0 disables all wait limits.
wait-limit-netblock wait-limit-cookie-netblock These do not have a default value but they can fine grain configuration for specific netblocks. With or without EDNS Cookies.

The options above are trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers.

Acknowledgements

We would like to thank Xiang Li from the Network and Information Security Lab of Tsinghua University for discovering and disclosing the attack.

For a full list of changes, binary and source packages, see the download page.

Related links:

Domain 0.10.0 released

2024-04-29T15:00:00+02:00

We are pleased to announce the release of version 0.10.0 of domain, our Rust crate for interacting with the Domain Name System (DNS).

This release is the result of the first three months of increased focus on the library. We have written more about our plans for the domain crate and what’s in store for this and the following years back in January in a blog post.

Breaking Changes

While we are adding many new features, we are also taking the opportunity to improve and clean up the existing code. This unfortunately means a number of breaking changes for current users of the crate. We tried to collect as many of those as possible in this release with the hope that we will not have to do big breaking changes again in the foreseeable future.

While most of these changes should have only limited impact on your code, there are two that might require somewhat more extensive search-and-replace.

For one, we decided to bite the bullet and rename all references to domain name from Dname to just Name. This resolves a very confusing conflict between our domain name type Dname and the DNAME record type. For consistency, we renamed all occurrences of Dname in type and function names. Not only is Dname now just Name, but there now also are RelativeName instead of RelativeDname and the ToName trait instead of the ToDname trait.

While at it, we also changed what is now the ToName::to_name method to follow the usual pattern of ToName::try_to_name for builder types with a limited buffer that can error out and ToName::to_name for unlimited builders. This change might cause somewhat confusing error messages but will save you an unwrap in many cases.

The second big change is that we changed how we represent the IANA-registered DNS parameters like Rtype or Class. Previously they were enums with an Int(_) variant for unknown values. This choice was made way back when associated constants weren’t available yet but made it always tricky to guarantee that the Int(_) variant really only contained unknown values.

We now changed all those types in the base::iana to structs wrapping the underlying integer type and represent the registered values as associated constants. This has the nice side-effect that they are now all-caps like they are in most of the registries. E.g., the DNAME record type is now Rtype::DNAME rather than Rtype::Dname.

There are a number of additional changes. We’ve fixed scanning, formatting, and serialization of CharStr and TXT record data to be more consistent. We cleaned up error types everywhere which now hide internal error details and only provide enum variants where a differentiation between error cases is meaningful to the caller. For all the changes, please check the release notes.

New Features

This release also sees the first three new features added to the crate. Since we consider them experimental at this point – we want to gain experience with the designs we’ve chosen and change them if necessary –, we decided to introduce the notion of “unstable features.” The idea is that these features may contain breaking changes even in minor releases to keep the frequency of breaking releases at a lower rate. If you want to use these features, you might want to use a specific version in your Cargo.toml.

The first of these new features is unstable-client-transport which adds the client side of sending DNS messages over UDP, TCP, and TLS. These transports can either be used individually or combined into a “redundant transport” that tries and picks the best available destination.

The second feature unstable-server-transport is the server counterpart and provides the ability to receive and process DNS requests. It is built on a Service concept that should sound familiar if you’ve used Hyper before. It also provides a configurable middleware that let’s you choose which server features you want to support.

Finally, we have the unstable-zonetree feature which provides the machinery for representing DNS zones, as well as an in-memory representation of a zone. Such a zone can be loaded from a zonefile – although we don’t have implementations for all record types yet – and can be used with the server transport to implement a simple authoritative server.

Other Additions and Bug Fixes

Beyond these big things, the release also contains quite a few small additions and bug fixes. Please see the release notes for details.

Acknowledgment

We would like to thank Sovereign Tech Fund for funding this work as well as everyone who has contributed to domain in the past and everyone who has used it!

Related links:

NSD 4.9.1 released

2024-04-04T14:56:00+02:00

Today, we released version 4.9.1 of the authoritative DNS nameserver NSD.

This release fixes the builds scripts in the release of version 4.9.0.

Version 4.9.0 adds support for DNS Catalog Zones (RFC 9432) version "2".

Both producer and consumer roles for catalog zones are implemented, but only a single consumer zone is allowed. The "coo" property, relevant when multiple consumer zones can be configured, is therefore not supported. The "group" property is. Consult the nsd.conf man page for details on how to configure and use catalog zones.

Thanks to Fredrik Pettai from Sunet for providing feedback and testing DNS Catalog Zones.

You can get source packages of this version from the downloads page.

Related links:

NSD 4.9.0 released

2024-04-03T16:37:00+02:00

Today, we released version 4.9.0 of the authoritative DNS nameserver NSD.

This release adds support for DNS Catalog Zones (RFC 9432) version "2".

Thanks to Fredrik Pettai from Sunet for providing feedback and testing DNS Catalog Zones.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.19.3 released

2024-03-14T10:00:00+01:00

We are pleased to announce the release of version 1.19.3 of the Unbound recursive DNS resolver.

This release has a number of bug fixes. The CNAME synthesized for a DNAME record uses the original TTL, of the DNAME record, and that means it can be cached for the TTL, instead of 0.

There is a fix that when a message was stored in cache, but one of the RRsets was not updated due to cache policy, it now restricts the message TTL if the cache version of the RRset has a shorter TTL. It avoids a bug where the message is not expired, but its contents is expired.

For dnstap, it logs type DoH and DoT correctly, if that is used for the message.

The b.root-servers.net address is updated in the default root hints.

When performing retries for failed sends, a retry at a smaller UDP size is now not performed when that attempt is not actually smaller, and at defaults, since the flag day changes, it is the same size. This makes it skip the step, it is useless because there is no reduction in size.

Clients with a valid DNS Cookie will bypass the ratelimit, if one is set. The value from ip-ratelimit-cookie is used for these queries.

Furthermore there is a fix to make correct EDE Prohibited answers for access control denials, and a fix for EDNS client subnet scope zero answers.

For a full list of changes, binary and source packages, see the download page.

Related links:

Unbound 1.19.2 released

2024-03-07T00:00:00+01:00

We are pleased to announce the release of version 1.19.2 of the Unbound recursive DNS resolver.

This security release fixes CVE-2024-1931.

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop.

Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records.

The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration.

From version 1.19.2 on, the code is fixed to avoid looping indefinitely.

We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for notifying us about the issue and working with us to identify the vulnerability.

For a full list of changes, binary and source packages, see the download page.

Related links:

Routinator 0.13.2 ‘Existential Funk’ released

2024-02-26T15:00:00+01:00

Today we released version 0.13.2 ‘Existential Funk’ of Routinator.

This release fixes an issue in the RTR server that can be exploited remotely to cause Routinator to exit. We advise all users of Routinator that provide a public RTR service to upgrade to this release at their earliest convenience.

The issue, assigned CVE-2024-1622, is caused when an incoming RTR connection is closed again very quickly. In this case Routinator’s RTR server mistakenly considers the RTR listener socket as failed and exits.

We would like to thank Yohei Nishimura, Atsushi Enomoto and Ruka Miyachi of Internet Multifeed Co., Japan for discovering and reporting this issue.

Related links:

Unbound 1.19.1 released

2024-02-13T13:00:00+01:00

We are pleased to announce the release of version 1.19.1 of the Unbound recursive DNS resolver.

This security release fixes two DNSSEC validation vulnerabilities: CVE-2023-50387 (referred here as the KeyTrap vulnerability) and CVE-2023-50868 (referred here as the NSEC3 vulnerability).

The KeyTrap vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.

The NSEC3 vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.

Both can force Unbound to spend an enormous time (comparative to regular traffic) validating a single specially crafted DNSSEC response while everything else is on hold for that thread. A trivially orchestrated attack could render all threads busy with such responses leading to denial of service.

From version 1.19.1 on, Unbound introduces suspension on DNSSEC response validations that seem to require more attempts than Unbound is willing to make per response validation run. Suspension means that Unbound will continue with other work before resuming a suspended validation offering CPU time between validation resumptions to other tasks. There is a backoff timer when suspending which is further influenced by the number of suspends already used and the amount of work currently in Unbound.

The introduced builtin limits in Unbound are:

Max 4 DNSSEC key collissions are allowed when building chain of trust. More than that without a secure key treats the delegation as bogus.
8 validation attempts per RRSET (combination of keys + signatures). If more are needed and Unbound has yet to find a valid signature the RRSET is treated as bogus.
More than 8 validation attempts per answer will suspend validation.
8 NSEC3 hash calculations are allowed before suspension. More than that will suspend validation.
The limit of total suspensions is 16 after which the query will error out. Any completed RRSET validations populate the cache for use in future queries.

While under attack Unbound could show higher CPU load because of the needed validations but the suspend strategy would guarantee the CPU is not locked on any particular validation task.

We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for discovering and responsibly disclosing the KeyTrap vulnerability.

We would like to thank Petr Špaček from ISC for discovering and responsibly disclosing the NSEC3 vulnerability.

To learn further about the vulnerabilities and the coordination process, we encourage you to read ISC's blog post titled BIND 9 Security Release and Multi-Vendor Vulnerability Handling.

For a full list of changes and binary and source packages, see the download page.

Related links:

Routinator 0.13.1 ‘Aziz, Light!’ released

2024-01-24T15:00:00+01:00

We are pleased to announce the latest release of Routinator, version 0.13.1 ‘Aziz, Light!’

This release includes a number of smaller fixes and improvements before a the next release will see some major changes.

We have fixed the dump command’s inability to deal with missing directories, accept private key files labelled “EC PRIVATE KEY” for the HTTP and RTR TLS configuration, and now log error output of the rsync command immediately rather than collecting it and logging it all at once, possibly overwhelming syslog.

For a fill list of changes, please have a look at the release notes

Related links:

NSD 4.8.0 released

2023-12-06T10:00:00+01:00

Today, we released version 4.8.0 of the authoritative DNS nameserver NSD.

This release introduces PROXYv2 support and faster statistics gathering, removes the database option and fixes bugs.

The proxy protocol support is an implementation of PROXYv2 for NSD. It can be configured with proxy-protocol-port: portnum with the port number of the interface on which proxy traffic is handled. The interface can support proxy traffic for UDP, TCP and TLS.

The removal of the "database: nsd.db" option removes unneeded code. It stored secondary zones in binary format. Zone files are used instead. This turns out to be about the same speed, for file access, and use much less memory. Plain text is also easier to deal with when inspecting the contents. Intended improvements in zone parser speed are expected to further enhance the performance, making it faster than the binary database.

The option to turn the database off with "" was introduced in 4.1.7 in 2015. It is now removed, and the 'database:' option is ignored for backwards compatibility, also the commandline '-f' option is ignored for backwards compatibility. This means NSD can start even though the option is present, and can then transfer zones from the primary and serve them.

Statistics are processed faster. NSD now uses shared memory to convey the statistics from the server processes to the xfrd process. This is faster, and also works while a reload is in progress. The statistics are no longer written over the command pipes between processes, and so do not wait for the processes. It is similar to how zone-stats have been implemented. It works for both stats and stats_noreset.

Thanks to Sunet for sponsoring the proxy protocol, and providing useful feedback in the early testing of the proxy protocol.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.19.0 released

2023-11-08T11:00:00+01:00

We are pleased to announce the release of version 1.19.0 of the Unbound recursive DNS resolver.

This release fixes a number of bugs, and adds some smaller features. The redis-logical-db option and cachedb-no-store option can be used for cachedb configuration. The disable-edns-do option can be used for working around broken network parts. For DNS64 there is fallback to plain AAAA when no A record exists.

There is a bug fix that when the UDP interface keeps returning that sending is not possible, unbound does not loop endlessly and waits for the condition to go away.

Resource records of type A and AAAA that are an inappropriate length are removed from responses. This hardens against bad content.

For a full list of changes and binary and source packages, see the download page.

Related links:

Routinator 0.13.0 ‘Should Have Started This in a Screen’ released

2023-09-21T15:00:00+02:00

We are pleased to announce the latest release of Routinator, version 0.13.0 ‘Should Have Started This in a Screen.’

This release was intended to bring support for ASPA to Routinator. But then the ASPA profile changed and there is a chance this will happen again. This could possibly leave users with an outdated version.

So, while ASPA support for the current draft version of ASPA is implemented in this Routinator release, it isn’t enabled by default. It consequently isn’t enabled in the Docker images and binary packages we provide either.

If you want to try out ASPA, you will have to build your own Routinator version from sources enabling the apsa feature. This is described in detail in the manual but the upshot is that you need to install Rust and then install Routinator via

cargo install --locked --features aspa routinator

In addition, there have been many smaller changes all over the code. The full list of changes is available in the release notes

Related links:

Routinator 0.12.2 ‘Brutti, sporchi e cattivi’ released

2023-09-13T15:00:00+02:00

Today we have released version 0.12.2 of Routinator.

This release fixes two issues in Routinator that can be exploited remotely by rogue RPKI CAs and repositories. We therefore advise all users of Routinator to upgrade to this release at their earliest convenience.

The first issue, CVE-2022-39915, can lead to Routinator crashing when trying to decode certain illegal RPKI objects.

The second issue, CVE-2022-39916, only affects users that have the rrdp-keep-responses option enabled which allows storing all received RRDP responses on disk. Because the file name for these responses is derived from the URI and the path wasn’t checked properly, a RRDP URI could be constructed that results in the response stored outside the directory, possibly overwriting existing files.

We would like to thank Haya Shulman, Donika Mirdita and Niklas Vogel for discovering and reporting these issues.

Related links:

Unbound 1.18.0 released

2023-08-30T11:00:00+02:00

We are pleased to announce the release of version 1.18.0 of the Unbound recursive DNS resolver.

This release adds DNS cookies downstream, support to respond with EDE error codes from cache, NAT64 support, and the capability to use a socket queue timeout to discard old packets, and other features and bug fixes.

The downstream DNS server cookies are from RFC7873 and RFC9018, it is turned on with answer-cookie: yes. It generates a random cookie secret, but for anycast setups the cookie secret can be configured with cookie-secret: "128bithex" with the same value as the other instances. Non cookie traffic can be disallowed with the allow_cookie acl option for access-control. Queries with valid cookie bypass the ordinary ratelimit, but a ratelimit can be configured for cookie queries with ip-ratelimit-cookie: 100. The statistics has counters for query_cookie_valid and query_cookie_client and query_cookie_invalid.

When queries come in with CD flag, a DNSSEC validation EDE can be returned, with information regarding a failure. EDE error information is also stored in the cache with the query responses. There is also EDE error information stored for the cachedb and the subnetcache.

There is NAT64 support, that is enabled with do-nat64: yes. The NAT64 prefix can be configured too, if not the default nat64-prefix: 64:ff9b::0/96. This is useful for an IPv6 only host where Unbound is running, so that Unbound can use NAT64 to connect to IPv4 servers.

The new default for the maximum UDP response size is 1232, with max-udp-size: 1232. This is similar to other resolvers. The new default is smaller and that makes it harder to get large responses. Thanks to Xiang Li, from NISL Lab, Tsinghua University.

There is a new option harden-unknown-additional: yes. This removes unknown records from the authority and additional section. This stops unknown records from being copied from the upstream to the downstream client, potentially exposing those clients to the extra records. Default is no, because it could hamper future protocol developments that want to add records. Thanks to Xiang Li, from NISL Lab, Tsinghua University.

With the sock-queue-timeout: 3 option kernel timestamps are turned on for UDP queries, and old packets are dropped. Queries that have waited in the socket buffer for a long time are then discarded, and is useful if the host was not running for a while. The statistics has num.queries_timed_out and query.queue_time_us.max counters.

The local-zone type block_a is for when queries to IPv4 have to be stopped to force IPv6 usage. It stops type A queries with nodata, and transparently allows other queries.

The redis server can be contacted over a unix socket with redis-server-path: "/var/lib/redis/redis-server.sock". The redis server password can be configured with redis-server-password: "password".

The number of hashtable collisions is logged in the statistics counters msg.cache.max_collisions and rrset.cache.max_collisions. It can be used to monitor for mistakes where the wrong or same hash value occurs too frequently.

The repository does not have the bison and flex generated output in it, so these tools are necessary to compile from a checkout, the tarball distribution contains pregenerated files and can use either those files or bison and flex tools on the compile system.

If kernel timestamps are enabled, with the sock-queue-timeout option, they are also used to set the time for dnstap logs.

There is a yocto compatible init script available in the contrib directory of the source code, unbound.init_yocto. The number of cachedb hits from cache is output in num.query.cachedb. There is support for the dohpath parameter for the SVCB record type. Prefetch is supported for subnet cache entries. Detection of the python paths on the system has been expanded.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.7.0 released

2023-06-07T10:00:00+02:00

Today, we released version 4.7.0 of the authoritative DNS nameserver NSD.

This release adds a script for bash autocompletion for nsd-control. Also nsd-control can be configured to use unencrypted operation also when compiled without openssl. There is also a systemd service unit example file contributed. The dnstap log service can be contacted over TCP, with the dnstap-ip: ip option. It is also possible to use TLS, with dnstap-tls, it is enabled by default, and can be configured with the dnstap-server-name, dnstap-cert-bundle, dnstap-client-key-file and dnstap-client-cert-file options. The configure option --enable-root-server is obsolete, it is no longer used and defaults to on. In addition, the build file should support multicore build with flex and bison more easily.

You can get source packages of this version from the downloads page.

Related links:

Krill 0.12.1 'Safety Belts' Released

2023-01-17T12:30:00+01:00

This release introduces two fixes for the Krill Publication Server. If you only use Krill as an RPKI Certificate Authority and publish elsewhere, e.g. in an RPKI Publication Server provided by your RIR or NIR, then there is no need to update to this release.

Firstly, this release fixes CVE-2023-0158. This CVE describes an exposure where remote attackers could cause Krill to crash if it is used as an RPKI Publication Server and if its "/rrdp" endpoint is accessible over the public internet.

Note that servers are not affected if the advice in our documentation was followed and a separate web server is used to serve the RRDP data.

Secondly, locking was added in this release to ensure that updates to the repository content are always applied sequentially. This fixes a concurrency issue introduced in Krill 0.12.0 that could result in rejecting an update from a publishing CA. In such cases the affected update would not be visible for RPKI validators, until a later publication attempt would be successful.

We advise that users upgrade to this version of Krill if they use it as their RPKI Publication Server. We also continue to recommend that a separate web server is used for serving the RRDP data.

Related links:

Unbound 1.17.1 released

2023-01-12T10:00:00+01:00

We are pleased to announce the release of version 1.17.1 of the Unbound recursive DNS resolver.

This release fixes a number of bugs. There are also new configuration options that by default do not change the existing behaviour of Unbound.

With statistics-inhibit-zero the printout of zero values by stats can be controlled. Similarly with max-sent-count and max-query-restarts the iterator behaviour can be controlled. The maximum CNAME chain length that is accepted can be changed by increasing the max-query-restarts number. This takes more time to follow those elements.

The keep-cache option allows reloads to change configuration whilst keeping the cache memory intact, making the cache hot for good response times after the change has completed.

The release contains an additional fix for service downgrade due to wrong hash values for wildcards in a hyperlocal zone, that was reported by Sergey Kacheev.

For a full list of changes and binary and source packages, see the download page.

Related links:

Routinator 0.12.1 ‘Plan uw reis in de app’ released

2023-01-04T15:00:00+01:00

We are pleased to announce the latest release of Routinator, version 0.12.1 ‘Plan uw reis in de app.’

This release fixes a small number of minor issues. Most importantly, the extra-tals-dir option introduced for the new TAL handling in version 0.12.0 is now also considered when it appears in the config file which accidentally wasn’t the case. In addition, the TLS-enabled servers for both HTTP and RTR now also accept private keys formatted as PKCS#1 RSA keys rather than only accepting PKCS#8 keys.

For a fill list of changes, please have a look at the release notes

Related links:

Routinator 0.12.0 ‘Brutalism and Gardening’ released

2022-11-10T15:00:00+01:00

We are pleased to announce the latest release of Routinator, version 0.12.0 ‘Brutalism and Gardening.’

This release completely revamps the initialisation. After ARIN has dropped their requirements to explicitly acknowledge their Relying Party Agreement before using the ARIN TAL, the explicit init command to install the TALs is not really necessary any more and has been dropped. Instead, starting with this release, the TALs can be selected through a number of command line or configuration file options.

By default, Routinator will now use the TALs of the five RIRs which are included in the Routinator binary. This is what most networks using RPKI want to use and means for them no initialisation is necessary at all any more. In particular, users of Docker images can now just run an image without having to perform any additional steps.

Options exist to disable the use of these built-in TALs (--no-rir-tals), select additional built-in TALs such as those of test beds (--tal)) or read additional TAL files from a directory (--extra-tals-dir).

Note that when installing Routinator 0.12.0 using a Debian or RPM package you may get a warning saying "Package distributor has shipped an updated version". This is because the --tal-dir option is deprecated. Routinator will ignore this option, so keeping the current file is fine.

In addition, Routinator now provides much more detailed information why an object was rejected and log the reason. This will make it easier to debug issues.

As always, there a many additional improvements and fixes. The full list of changes is available in the release notes

Related links:

NSD 4.6.1 released

2022-11-10T10:00:00+01:00

Today, we released version 4.6.1 of the authoritative DNS nameserver NSD.

This release has a couple of bug fixes. The alpn is set for dns over tls connections. And the SVCB type supports the dohpath parameter.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.17.0 released

2022-10-13T10:00:00+02:00

We are pleased to announce the release of version 1.17.0 of the Unbound recursive DNS resolver.

This release has new interface acl configuration options. These allow access-control actions, per interface. Also tags, and views can be configured per interface, queries over the interface are answered with these tags and views. It is configured with the options interface-action, interface-tag, interface-tag-action, interface-tag-data and interface-view. If there is also an access-control setting for the query, this overrides the interface settings for that query.

The PROXYv2 protocol is supported. It can be configured with the proxy-protocol-port: portno option. It is used to convey the IP addresses of clients that connect via a proxy to Unbound.

There are also fixes for a number of bugs. In some cases a blocking wait on a socket could happen, and this has been fixed. If the upstream sends a TC flag, erroneously, the reply is ignored and retried. When under load, with the new NRDelegation fixes from the previous release, there are mitigations to continue target discovery. There is also a fix for possible loops in the tcp reuse code.

The release version differs from the RC1, there is a bugfix for the proxy protocol for tcp read when no proxied addresses are provided.

For a full list of changes and binary and source packages, see the download page.

Related links:

Unbound 1.16.3 released

2022-09-21T12:00:00+02:00

We are pleased to announce the release of version 1.16.3 of the Unbound recursive DNS resolver.

This release fixes CVE-2022-3204 'Non-Responsive Delegation Attack'. It was reported by Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr and Shani Stajnrod from Reichman University.

This fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching, and limiting the number of times a delegation point can look in the cache for missing records.

For a full list of changes and binary and source packages, see the download page.

Related links:

Routinator 0.11.3 released

2022-09-13T15:00:00+02:00

We have just released Routinator 0.11.3. This release fixes a vulnerability present in Routinator 0.9.0 up to and including 0.11.2 which causes Routinator to exit if it encounters invalid data in RRDP snapshot or delta files. We have assigned CVE-2022-3029 to this issue.

Due to a mistake in error handling, data in RRDP snapshot and delta files that isn't correctly base 64 encoded is treated as a fatal error and causes Routinator to exit.

Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may stop your network from validating route origins based on RPKI data. This vulnerability does not allow an attacker to manipulate RPKI data. We are not aware of exploitation of this vulnerability at this point in time.

Starting with release 0.11.3, Routinator handles encoding errors by rejecting the snapshot or delta file and continuing with validation. In case of an invalid delta file, it will try using the snapshot instead. If a snapshot file is invalid, the update of the repository will fail and an update through rsync is attempted.

We would like to thank Donika Mirdita and Haya Shulman from Fraunhofer SIT and ATHENE for discovering and notifying us about this issue.

All users of Routinator 0.9.0 up to and including 0.11.2 are encouraged to upgrade to Routinator 0.11.3 at their earliest convenience.

The full list of changes is available in the release notes. Instructions on how to upgrade can be found in the manual.

Related links:

ldns 1.8.3 quickfix release

2022-08-15T00:00:00+02:00

Version 1.8.2 of ldns had a crash bug when creating packets with an EDNS OPT resource record without options. For example when just setting the DO bit (DNSSEC OK) or when specifying a larger UDP payload size.

This quick fix release has this resolved. Also the unit tests have been reviewed and updated to catch this in the future before release.

Compared to the 1.8.1 release, this release has some bugfixes and a few new features, most notably:

Since draft-ietf-dnsop-svcb-https will become RFC now anytime soon, SVCB and HTTPS RR types are now compiled by default.
Functionality for parsing and printing of EDNS0 Options.

The list of options in a packet can be accessed via a new function: ldns_pkt_edns_get_option_list(ldns_pkt *packet). The list can be further manipulated with functions as described in edns.h. Finally the options can be converted to presentation format with ldns_edns_option_list2buffer_str() from host2str.h.

drill will now also print EDNS0 options in a parsed format.

Related links:

ldns 1.8.2 released

2022-08-12T00:00:00+02:00

I am pleased to announce that version 1.8.2 of ldns is now available. Besides some bugfixes, this release also has a few new features, most notably:

Since draft-ietf-dnsop-svcb-https will become RFC now anytime soon, SVCB and HTTPS RR types are now compiled by default.
Functionality for parsing and printing of EDNS0 Options.

The list of options in a packet can be accessed via a new function: ldns_pkt_edns_get_option_list(ldns_pkt *packet). The list can be further manipulated with functions as described in edns.h. Finally the options can be converted to presentation format with ldns_edns_option_list2buffer_str() from host2str.h.

drill will now also print EDNS0 options in a parsed format.

Related links:

Unbound 1.16.2 released

2022-08-01T14:00:00+02:00

We are pleased to announce the release of version 1.16.2 of the Unbound recursive DNS resolver.

This release fixes the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. They were reported by Xiang Li from the Network and Information Security Lab of Tsinghua University.

Other than that there are some bug fixes, and an option to configure the max retransmit timeout, infra-cache-max-rtt. If left at default it does not make any change.

For a full list of changes and binary and source packages, see the download page.

Related links:

Unbound 1.16.1 released

2022-07-11T11:00:00+02:00

We are pleased to announce the release of version 1.16.1 of the Unbound recursive DNS resolver.

This release fixes a number of bugs. The number of nxdomains encountered when looking up a nameserver is not counted as such when the lookup was from cache. Also parent side queries are not created when the addresses are lame or already in cache. This solves lookup problems of domains with a lot of nxdomains, and that have parent-child differences.

Algorithms that are not supported are disabled when the system OpenSSL does not provide them, for FIPS OpenSSL installations.

Unbound sets IP_BIND_ADDRESS_NO_PORT socket option on outgoing tcp sockets to make the port space larger that can be used. The number of outgoing udp packets is collected in the num.query.udpout statistic.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.6.0 released

2022-06-30T10:00:00+02:00

Today, we released version 4.6.0 of the authoritative DNS nameserver NSD.

This release adds the zone verification support from the CreDNS code. There are also some bug fixes in the ixfr out code.

Zone verification can start a verifier program that reads the new zone data. It can reject the update. Or process the new zone data. The intent is for a DNSSEC verifier to inspect the zone before it is passed on with zone transfer or served to clients.

The zone verification can be enabled with enable: yes in the verify section in nsd.conf. You can then list the interfaces the NSD listens on while the verifier is active, so it can send queries for the new zone contents. With verify-zones: yes zones are verified by default. The command that is executed can be set with the verifier: ldns-verify-zone option. With verifier-count the max number of concurrent verifiers can be set. With the verifier-feed-zone: yes option the zone can be input on stdin to the verifier program. A timeout to stop the verifier can be set with the verifier-timeout option.

Per zone options can also be set for a pattern or for a zone, for zone verification. With verify-zone the zone verification can be enabled per zone. The verifier can be set per zone. And the verifier-feed-zone and verifier-timeout options can be controlled per zone.

You can get source packages of this version from the downloads page.

Related links:

RTRTR 0.2.2 released

2022-06-13T12:00:00+02:00

We have just released RTRTR 0.2.2.

This release fixes a one bug and two issues that were introduced in the 0.2 series. All users of RTRTR 0.2.0 and 0.2.1 are advised to upgrade.

The more severe of those is that RTRTR starts to introduce duplicate records in the output, both RTR and JSON over time, causing routers to reject the data.

Second, there were some formatting errors in the JSON output.

This release has fixed both these issues.

The complete list of changes is available in the release notes.

More information about RTRTR, as well as including installation instructions can be found in the RTRTR Manual.

Related links:

Unbound 1.16.0 released

2022-06-02T14:00:00+02:00

We are pleased to announce the release of version 1.16.0 of the Unbound recursive DNS resolver.

This release has EDE support, for extended EDNS error reporting, it fixes unsupported ZONEMD algorithms to load, and has more bug fixes.

The EDE errors can be turned on by ede: yes, it is default disabled. Validation errors and other errors are then reported. If you also want stale answers for expired responses to have an error code, the option ede-serve-expired: yes can be used.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.5.0 released

2022-05-13T10:00:00+02:00

Today, we released version 4.5.0 of the authoritative DNS nameserver NSD.

This release fixes a couple of minor bugs and adds IXFR out functionality. With this functionality NSD can respond to IXFR queries and serve IXFR transfers downstream.

It is default disabled, that means it does not store IXFR contents for zones by default. The response on the wire is different, also with IXFR disabled, because it is now supported, and thus also for those zones a reply is served, that no differential data is available.

You can get source packages of this version from the downloads page.

Related links:

Routinator 0.11.2 released

2022-04-20T15:00:00+02:00

We have just released Routinator 0.11.2 which fixes an issue causing the integrated RTR server to not always report the complete set of withdrawn VRPs and router keys to a router. This could cause a router to possibly retain withdrawn VRPs or router keys for some time.

This issue was introduced in version 0.11.0 with BGPsec router key support.

All users of Routinator 0.11.0 or 0.11.1 are encouraged to upgrade to Routinator 0.11.2.

The full list of changes is available in the release notes. Instructions on how to upgrade can be found in the manual.

Related links:

Routinator 0.11.1 released

2022-04-07T15:00:00+02:00

We are pleased to announce the latest release of Routinator, version 0.11.1.

This release improves the output of the dump command by stripping the internal header of objects retrieved via RRDP before copying them and adds the stored trust anchor certificates to the output.

In addtion, there a few bug fixes.

The full list of changes is available in the release notes.

Starting with this version, we are publishing binary packages for Ubuntu 22.04 via our package repository.

Related links:

Routinator 0.11.0 released

2022-02-28T15:00:00+01:00

We are pleased to announce the latest release of Routinator, version 0.11.0.

This release adds TLS support to both the built-in RTR and HTTP servers. It also adds support for validating and distributing BGPsec router keys. Since support for these keys in RTR hasn’t been widely tested, it will be initially disabled and needs to be activated via the new enable-bgpsec command line and config file option.

Some smaller features have been added as well, such as a new slurm output format that produces JSON files following the local exception files defined in RFC 8416, and the ability to to select VRPs with more specific prefixes in the vrps command and from the HTTP server.

As always, there a few additional improvements and fixes. The full list of changes is available in the release notes

Related links:

NSD 4.4.0 released

2022-02-17T10:00:00+01:00

Today, we released version 4.4.0 of the authoritative DNS nameserver NSD.

This release changes the memory allocation for outgoing zonetransfers, and this reduces the memory footprint. The defaults for the amounts are the same as before, but there are config options to configure the memory usage. There are also bug fixes.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.15.0 released

2022-02-10T10:00:00+01:00

We are pleased to announce the release of version 1.15.0 of the Unbound recursive DNS resolver.

This release has bug fixes for crashes that happened on heavy network usage. The default for the aggressive-nsec option has changed, it is now enabled.

The ratelimit logic had to be reworked for the crash fixes. As a result, there are new options to control the behaviour of ratelimiting. The ratelimit-backoff and ip-ratelimit-backoff options can be used to control how severe the backoff is when the ratelimit is exceeded.

The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for NXDOMAIN answers from RPZ. That is used by some clients to detect that the domain is externally blocked. The RPZ option for-downstream can be used like for auth zones, this allows the RPZ zone information to be queried. That can be useful for monitoring scripts.

For a full list of changes and binary and source packages, see the download page.

Related links:

RTRTR 0.2.0 ‘Arts and Crafts and Tactical Gear’ released

2022-01-19T12:00:00+01:00

We are happy to announce the latest release of RTRTR, version 0.2.0 ‘Arts and Crafts and Tactical Gear.’

This version introduces a new "slurm" unit that can be used to modify the RPKI data set using local exception files as defined in RFC 8416.

In addition, RTRTR can now speak RTR-over-TLS both as a client through the new "rtr-tls" unit as well as a server through the target with the same type name.

As always, there have been a number of smaller changes and improvements. Most important of these is perhaps that RTRTR’s "json" unit now understands the modified JSON format produced by newer versions of rpki-client.

The complete list of changes available in the release notes.

More information about RTRTR including installation instructions can be found in the new RTRTR Manual.

Related links:

NSD 4.3.9 released

2021-12-09T10:00:00+01:00

Today, we released version 4.3.9 of the authoritative DNS nameserver NSD.

This release contains a small number of bug fixes. The reconfig failure is fixed for cpu-affinity config re-read. Version repository and continuous integration files are removed from the sourcecode tarball.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.14.0 released

2021-12-09T10:00:00+01:00

We are pleased to announce the release of version 1.14.0 of the Unbound recursive DNS resolver.

This release contains bug fixes and a full set of RPZ triggers and actions that are supported. This works with RPZ zones, configured with rpz:.

It is possible to selectively enable use of TCP for stub zones and forward zones, without having enable it server wide, by enabling it with the stub-tcp-upstream: yes and forward-tcp-upstream: yes options.

The added contrib/Dockerfile.tests from ziollek can be used to setup a Docker environment to run tests in. The documentation is in the doc/README.tests file.

If openssl it installed with different versions, you can set the location as --with-ssl=/usr/include/openssl11 and it then detects the use of the lib dir split off in /usr/lib64/openssl11 with regex. This is useful if to pass to configure if openssl is installed in such a manner.

The option outbound-msg-retry can be used to select the number of retries when a non-positive response is received. It is best left at default, but when the upstream is known to not need retries, it can be lowered, because in that case the upstream is performing the retry for non-positive responses.

The domain home.arpa. is set by default as blocked, as per RFC8375. If you want to use it, unblock it with a local-zone nodefault statement, or use another type of local-zone to override it with your choice.

In the config it is possible to enter IPv6 scope-id values with interface names, instead of a number, for link-local addresses.

For a full list of changes and binary and source packages, see the download page.

Related links:

ldns 1.8.1 released

2021-12-03T00:00:00+01:00

This is a quickfix release fixing bugs that had 1.8.0 installing incorrectly. Compared to the 1.7.1 release, this release has many bugfixes and also a few new features, most notably:

ZONEMD support in ldns-signzone and ldns-verify-zone
Draft implementation of the SVCB and HTTPS RR types. Use --enable-rrtype-svcb-https with configure to compile with these supported.

Related links:

ldns 1.8.0 released

2021-11-26T00:00:00+01:00

Besides many bugfixes, this release also has a few new features:

ZONEMD support in ldns-signzone and ldns-verify-zone
Draft implementation of the SVCB and HTTPS RR types. Use --enable-rrtype-svcb-https with configure to compile with these supported.

Related links:

Routinator 0.10.2 ‘Skuffet, men ikke overrasket’ released

2021-11-09T15:00:00+01:00

We are pleased to announce the latest release of Routinator, version 0.10.2 ‘Skuffet, men ikke overrasket.’

This release is part of a Coordinated Vulnerability Disclosure for vulnerabilities in RPKI relying party implementations conducted by the University of Twente and the National Cyber Security Centre of the Netherlands (NCSC-NL). It provides fixes for three issues, CVE-2021-43172, CVE-2021-43173 and CVE-2021-43174, that allow malicious RRDP repositories to either stall validation or cause Routinator to run out of memory.

For more information on the issues, see the RPKI security advisories.. The full list of changes in this release is available in the release notes..

None of these fixes change Routinator's behaviour. All users are encouraged to update to this version.

Related links:

NSD 4.3.8 released

2021-10-12T10:00:00+02:00

Today, we released version 4.3.8 of the authoritative DNS nameserver NSD.

This release fixes a crash bug in delegation answers, and fixes in NSEC3 answers. Also compile fixes for OpenSSL. The OpenSSL 3.0 API is supported.

The Mutual TLS feature allows for client authentication for XFR-over-TLS connections, use the client-cert, client-key and client-key-pw options to set up the certificate that NSD then uses to connect to the upstream server to download the zone with.

The default for DNS Cookies is updated. It is now off to stop wrong behaviour in mixed server deployments.

You can get source packages of this version from the downloads page.

Related links:

Routinator 0.10.1 ‘That's No Moon’ released

2021-09-20T15:00:00+02:00

We are happy to announce the latest release of Routinator, version 0.10.1 ‘That's No Moon.’

This release of Routinator introduces major new user-interface features. It now allows users to validate prefixes against ASNs found in BGP announcements. Next to that it allows users to lookup related prefixes for the prefix they're searching for. These related prefixes can be more- or less-specific prefixes, routed in BGP or prefixes that are allocated by one of the five RIRs (Regional Internet Registries).

The user interface can now also be run completely separately from Routinator itself. It now has its own Github repository. See the README for details on how to run this interface stand-alone.

The full list of changes is as always available in the release notes.

Related links:

Routinator 0.10.0 ‘Through Many Dangers, Toils, and Snares’ released

2021-08-23T15:00:00+02:00

We are happy to announce the latest release of Routinator, version 0.10.0 ‘Through Many Dangers, Toils, and Snares.’

In Routinator 0.9.0 we changed the way we store the local copy of the repository. An unfortunate side effect was that it increased the memory consumption of Routinator rather dramatically. As we were unhappy with that, we rewrote the storage system again and with this release we are back at previous levels.

In addition, we implemented a number of smaller quality of life improvements and fixed a few other issues.

The full list of changes is as always available in the release notes.

Related links:

Unbound 1.13.2 released

2021-08-12T10:00:00+02:00

We are pleased to announce the release of version 1.13.2 of the Unbound recursive DNS resolver.

The release contains a bugfix to fix the make install of the python module after build changes introduced in this release rc1.

This release contains a number of bug fixes. There is a crash fix for broken internal structures in stream reuse, that is used when many TCP or TLS upstream connections are made. Also a number of features are added.

The ZONEMD support allows verification of downloaded authority zone files with the zonemd hash. It can be enabled with the zonemd-check option. It implements RFC8976. With zonemd-permissive-mode it is possible to try out the functionality without withholding the zone if the checks fail. With zonemd-reject-absence the zonemd record becomes a requirement for a zone.

It is possible to use interface names for the control-interface as well, it was already possible for the interface, but now also for the remote control functionality. It allows the user to config the interface with the interface name, like 'eth0', instead of an IP address.

It is possible to configure the persistent TCP connection, with the options max-reuse-tcp-queries and tcp-reuse-timeout. These also apply to TLS reused connections.

The local zone types always_null, always_nodata and always_deny work inside the local zones that are defined inside a view.

The log servfail error message now includes more information, it attempts to add an IP address and information about the one of the last failures that is associated with that query.

With the option tcp-auth-query-timeout, the time to wait for queries to upstream authority servers can be configured, for TCP and TLS queries.

It is possible to configure unbound with --with-deprecate-rsa-1024, that stops the use of RSA 1024 keys. That makes unbound work with certain FIPS installations that do not allow such calls to the crypto API. If the option is enabled, Unbound treats RSA keys with an insufficiently sized key as not supported. Responses with unsupported crypto are marked insecure.

The NSEC3 maximum iterations are lowered to 150. This is the new default setting. This puts this in line with other DNS implementations. If the iterations count is exceeded the response becomes insecure.

The number of validator retries when there is a DNSSEC failure can be configured with the val-max-restart option.

The RR types SVCB and HTTPS are supported according to the draft specification. The syntax can be used in local zones and zone files, and debug output. The types themselves were already supported on the wire the RFC3597 unknown RR type support.

The HTTP user agent header can be configured or elided, to avoid printing the version of type of the software running on the server, with the options http-user-agent and hide-http-user-agent.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.3.7 released

2021-07-22T16:00:00+02:00

Today, we released version 4.3.7 of the authoritative DNS nameserver NSD.

This release fixes a crash in dnstap. New features are XoT which provides AXFR and IXFR over TLS, and DNS Cookies support and SVCB and HTTPS RR type support.

For zone transfer TLS can be turned on by specifying the tls-auth-name in the request-xfr config option, like request-xfr: 192.0.2.1 NOKEY ns.example.com. With the tls-cert-bundle option, in the server section, the list of certificates for authenticating the transfers over TLS can be configured.

The DNS cookies can be turned on or off with the answer-cookie option, and instead of a randomly generated secret, for anycast or loadbalanced deployment, the secret can be configured with cookie-secret or cookie-secret-file and rollover of the cookie secret can be performed with the nsd-control commands add_cookie_secret, activate_cookie_secret and drop_cookie_secret, using the cookie-secret-file.

The SVCB and HTTPS RR type support mean that in zone files the syntax for these RR types can be used and is written when a zone is downloaded. In previous versions the unknown RR type support code provided a fallback syntax in zone files and on the wire functionality for these types.

You can get source packages of this version from the downloads page.

Related links:

Routinator 0.9.0 ‘Raptor Bash for Life’ released

2021-07-03T15:00:00+02:00

We are happy to announce the latest release of Routinator, version 0.9.0 ‘Raptor Bash for Life.’

This release fundamentally changes how Routinator maintains the local copy of the RPKI cache. It now separately keeps track of the raw data retrieved from the RPKI repositories and the last known set of correctly published files. This allows Routinator to deal more robustly with partial or erroneous updates – it can now just keep using the previously published set until the repository is fixed (or the objects expire). The price for this greater robustness is increased storage size and RAM usage. At time of writing, about 1.3 GB of disk space is used. If you were running Routinator on an very barebones system, e.g. 1GB total RAM, you should now give it 2GB.

For RRDP and this known good data set we switched from storing data directly in the file system to using a key-value database.

Routinator now keeps track of many more metrics. Detailed numbers are available for each object type both on a per-TAL and – new – per-repository basis. If you’re using Prometheus, it should pick up these new metrics right away. They are also shown in the bundled UI.

Two important things require an action from you:

The previously available per-trust anchor metrics have been renamed to fit with the new naming scheme. They can now be found under the prefix routinator_ta and use the label name (instead of the previously used tal) for the individual trust anchors.
LACNIC has published a new Trust Anchor Locator (TAL). We recommend to reinitialise your TALs after upgrading to Routinator 0.9.0 with the routinator init --force command. We also bundle additional TALs for various test setups that are only installed on request. A list of these is available through routinator init --list-tals.

In addition, we added many new features and improved existing ones. A full list of all these is available in the release notes and the completely overhauled documentation.

And finally, good new for users running Centos 7 and 8. Starting with this release, we are publishing binary packages for these distributions in addition to the already available Debian packages via our package repository. More details can be found in the installation instructions.

Related links:

tsuNAME vulnerability and Unbound

2021-05-10T17:00:00+02:00

Last week, SIDN Labs, InternetNZ and USC/ISI researchers announced the vulnerability called tsuNAME [1]. With the analysis of the impact of tsuNAME, the researchers have also evaluated a number of open source DNS software, including Unbound. In their research they have assessed that Unbound is not vulnerable to the tsuNAME attack [2] (Section 5.1).

Cyclic dependencies in name servers

With the design and implementation of Unbound, the specific case of cyclic dependencies in name servers for a domain was already considered. [RFC1536] also mentions recursion bugs in Section 2 of the document.

In a so-called exploration phase, Unbound will discover name servers for a domain name and caches the results of the NS record lookups. In this exploration phase, Unbound has implemented both cycle detection and for the TTL of the cached NS records it will not send any further queries to upstream servers. This behaviour prevents further lookups and annuls a potential tsuNAME attack, and as such Unbound cannot be made instrumental in facilitating a DDoS attack on authoritative name servers.

OpenDNSSEC 2.1.9 released

2021-05-06T13:45:00+02:00

This release contains two changes that avoid some problems with certain HSM configuration, one of them is SoftHSMv2 in database back-end mode. This can lead to temporarily not being able to sign zones, hence upgrading is really recommended. It does not occur on all systems and configurations though.

The 2.1.9 release is available immediately from the download site.

Issues

OPENDNSSEC-955: Prevent concurrency between certain valid PKCS#11 HSM operations to avoid some keys to be (transiently) unavailable.
OPENDNSSEC-956: Harden signing procedure to still sign zones for which there are unused keys specified in the zone which are unavailable.

Download

For OpenDNSSEC 2.1.9 download and additional information:

OpenDNSSEC 2.1.9 release announcement

NSD 4.3.6 released

2021-04-06T14:00:00+02:00

Today, we released version 4.3.6 of the authoritative DNS nameserver NSD.

This release contains a bug fix for a zone file parse failure for text records. The release also adds the feature to print a local address, if the address is configured, in dnstap logs. The interface for nsd-control can be specified with an interface name. The zone that was parse successfully can be printed with the nsd-checkzone -p option. Also added is support to emit DNS extended errors via the EDNS option from RFC8914. It is possible to stop queries for certain zones, depending on IP address and TSIG key, with the new allow-query option, for zones that do not need to be queried, like meta zones with configuration information.

You can get source packages of this version from the downloads page.

Related links:

Discontinuing the 1-Click Apps for Krill

2021-02-25T12:30:00+01:00

About one year ago we introduced a 1-Click App for Krill on the AWS Marketplace and DigitalOcean Marketplace. It was introduced in a time when installing and configuring Krill involved quite some steps. The goal was to allow operators to get started with Krill quickly, to gain operational experience with delegated RPKI.

Since then, we have introduced Debian and Ubuntu packages for Krill on the NLnet Labs package repository, which will soon offer RPM packages as well. We also offer a Docker container image and a public RPKI testbed. All these solutions have significantly reduced the need for the 1-Click Apps. Nowadays, getting started with Krill is as simple as apt install krill and opening the Krill user interface in a browser.

As a result, we are discontinuing the AWS Marketplace and the DigitalOcean Marketplace 1-Click Apps. Existing installations will keep working, but will no longer receive updates.

Related links:

OpenDNSSEC 2.1.8 released

2021-02-23T16:20:00+01:00

This release of 2.1.8 fixes a number of bugs related to the purging of keys, a potential denial of service vulnerability in some installations, and a few rare but nasty potential crashes. Earlier versions of OpenDNSSEC 2.1 might not have all keys purged from the HSM if instructed to do so. Since this is now done automatically this is worth pointing out that this was a bug and old keys will be permanently removed from the HSM.

Special thanks to the people who helped us make OpenDNSSEC better and better, they are as always mentioned in the NEWS file. Two of the bugs were only traceable with their help.

The 2.1.8 release is available immediately from the download site.

Issues

OPENDNSSEC-954: Upgrade autoconf/automake configuration chain for version 2.69/1.16.2.
SUPPORT-261: Fix to crash when using ods-enforcer set-policy command.
OPENDNSSEC-953: Fix to crash in case zone file not present while getting a signconf update and state flush command. Thanks to Stefan Ubbink from SIDN for the co-operation in this fix.
OPENDNSSEC-951: Modify the purging of keys, to make it automatic to purge keys from the HSM. Thanks to Stefan Ubbink from SIDN for the co-operation in this fix.
OPENDNSSEC-950: Fix that caused crash when signer was offline for a prolonged period (but the enforcer wasn’t) in the middle of a ZSK roll.
OPENDNSSEC-952: memory leak in when receiving NOTIFY for non-existent zone. Thanks to Sébastien Tisserant for reporting.

Download

For OpenDNSSEC 2.1.8 download and additional information:

OpenDNSSEC 2.1.8 release announcement

Unbound 1.13.1 released

2021-02-09T10:00:00+01:00

We are pleased to announce the release of version 1.13.1 of the Unbound recursive DNS resolver.

This release contains a number of bug fixes. There is added support for the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID option (RFC 5001). Unbound control has added commands to enable and disable rpz processing. Reply callbacks have a start time passed to them that can be used to calculate time, these are callbacks for response processing. With the option serve-original-ttl the TTL served in responses is the original, not counted down, value, for when in front of authority service.

For a full list of changes and binary and source packages, see the download page.

Related links:

Routinator 0.8.3 ‘Like and Subscribe’ released

2021-02-02T15:00:00+01:00

We are happy to announce the latest release of Routinator, version 0.8.3 ‘Like and Subscribe.’*

While we are still hard at work for the next big release of Routinator, we have a treat for Routinator users that aren’t routers: The very first version of a lightweight user interface.

The user interface provides two main functions. First, it displays statistics from the last validation run Routinator has performed. Secondly, you can use the user interface to verify the RPKI origin validation status of an AS Number and IP Prefix combination.

Verifying the validation status can be done by entering an existing BGP announcement or an ASN and prefix of your choice, for example for an announcement you're planning to do. The returned RPKI validity state will be Valid, Invalid or Not Found and is based on the current set of Validated ROA Payloads (VRPs) in the cache. Routinator will provide an overview of all VRPs that led to the result, along with the reason for the outcome.

This UI is available via the regular HTTP interface at the "/" endpoint and requires access to /api and /ui (in case you use a reverse proxy). It was built using Vue.js as Javascript framework, Element as UI framework and queries the existing Routinator API. It is maintained as a separate project on Github.

The new UI is the only change in this release. So, if you are not interested in it, you can safely skip it.

You can find more information on Routinator on Github.

Related links:

* And hit the bell icon, too!

NSD 4.3.5 released

2021-01-26T10:00:00+01:00

Today, we released version 4.3.5 of the authoritative DNS nameserver NSD.

This release fixes a number of bugs. It fixes a number of corner case differences for the output more similar to Bind. The configure sources are compatible with the new autoconf 2.70.

You can get source packages of this version from the downloads page.

Related links:

RTRTR 0.1.1 ‘Death Metal Karaoke‘ released

2020-12-11T12:00:00+01:00

We are happy to announce the second release of RTRTR, version 0.1.1 ‘Death Metal Karaoke.’

With this version, RTRTR supports collecting data from upstream RTR servers as well as from JSON documents fetched via HTTP or read from local files. If multiple sources are defined, it can fail over to another source if its currently used source becomes unavailable. Data can be dispatched either via RTR or as JSON via HTTP.

RTRTR is still in early development. We are planning to add support for more data formats in the future. In addition, we plan to add secure transport channels for RTR.

You more information about RTRTR including installation instructions on Github.

Related links:

Routinator 0.8.2 ‘Once More, with Feeling’ released

2020-12-09T15:00:00+01:00

We are happy to announce the latest release of Routinator, version 0.8.2 ‘Once More, with Feeling.’

This release adjusts the validation behaviour of Routinator. As the rules proposed by draft-ietf-sidrops-6486bis and implemented by Routinator since version 0.8.0 turned out to be too strict, validation has been relaxed again. A CA is now only rejected and all its objects ignored if the manifest or CRL are invalid or if any of the objects listed on the manifest are either missing or have a different hash. Previously, a CA was rejected entirely if objects themselves where invalid for any reason, including cases such as expired child certificates.

All users of Routinator 0.8.0 and 0.8.1 are encouraged to upgrade to this release.

You can find the complete list of changes in the release notes and more information on Routinator on Github.

Related links:

Unbound 1.13.0 released

2020-12-03T10:00:00+01:00

We are pleased to announce the release of version 1.13.0 of the Unbound recursive DNS resolver.

This version has fixes to connect for UDP sockets, slowing down potential ICMP side channel leakage. The fix can be controlled with the option udp-connect: yes, it is enabled by default.

Additionally CVE-2020-28935 is fixed, this solves a problem where the pidfile is altered by a symlink, and fails if a symlink is encountered. See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more information.

New features are upstream TCP and TLS query reuse, where a channel is reused for several queries. And http-notls-downstream: yesno for unencrypted DoH, useful for back end support servers. The option infra-keep-probing can be used to probe hosts that are down more frequently.

The options edns-client-string and edns-client-string-opcode can be used to add an EDNS option with the specified string in queries towards servers, with the servers specified by IP address. It replaces the edns-client-tag option.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.3.4 released

2020-12-01T13:30:00+01:00

Today, we released version 4.3.4 of the authoritative DNS nameserver NSD.

This release fixes CVE-2020-28935, this solves a problem where the pidfile is altered by a symlink, and fails if a symlink is encountered. See https://nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt for more information.

Also there are bug fixes and the syntax of the RR type ZONEMD can be used in zonefiles.

You can get source packages of this version from the downloads page.

Related links:

Routinator 0.8.1 ‘Pure as New York Snow’ released

2020-11-30T15:00:00+01:00

We are happy to announce the latest release of Routinator, version 0.8.1 ‘Pure as New York Snow.’

This release is a bug fix release correcting issues found in 0.8.0.

First, when using local exceptions (also called SLURM), VRPs matched by a prefix filter were still added to the final data set. If you are using local exceptions to filter VRPs, you should upgrade to 0.8.1.

Second, the prefix validation feature available via the validation command and the /validity HTTP endpoint accidentally matched host prefixes with an idendical bit pattern to a covering, less specific VRP, thus marking such prefixes as valid.

Finally, we introduced two inconsistencies in new config file options added in 0.8.0. The config key for unknown-objects was using an underscore instead of a dash and the value for rtr-tcp-keepalive was expected to be a string rather than an integer value. Both these have been fixed. However, the previous config key and value type are still accepted until 0.9.0.

You can find the complete list of changes in the release notes and more information on Routinator on Github.

Related links:

Introducing JDR

2020-11-19T16:45:00+01:00

We've launched the first version of JDR, our hosted tool to check anything in the RPKI. While not yet 100% feature complete, we think it already offers useful insights to operators and implementors, and moreover, we would like their input and ideas for further developments of JDR. In this blogpost we go into some of the mechanics and goals of our tool, but for the impatient, have a go at https://jdr.nlnetlabs.nl!

SAD DNS and NLnet Labs DNS software

2020-11-18T11:09:00+01:00

During the recent ACM CCS conference 2020, researchers presented a clever new variant of DNS cache poisoning attack that they call "SAD DNS". This attack is yet more proof that DNS cache poisoning remains a threat, and all the more reason to invest in the only real protection against this type of attack: deploying DNSSEC.

In our blogpost, we explain what you need to know about SAD DNS, and what it means for NLnet Labs DNS software:

SAD DNS and NLnet Labs DNS software

Krill 0.8.1 'The Gentle Art' Released

2020-11-17T12:30:00+01:00

We are happy to introduce Krill 0.8.1 'The Gentle Art'. This release is less restrictive when creating ROAs, while still providing enough guidance to accurately reflect your routing intent.

Krill automatically downloads BGP announcement information from RIPE RIS and uses this to analyse the known BGP announcements for the address space on your resource certificate(s). This allows Krill to show the RPKI validation status of your announcements, warn about possible issues, and do some suggestions on ROAs you may want to create or remove.

Krill 0.8.1 recognises the following 'States' in its analysis:

State	Explanation
NOT FOUND	This announcement is not covered by any of your ROAs
INVALID ASN	The prefix for this announcement is covered by one or more of your ROAs. However, none of those ROAs allow announcements of this prefix by this ASN.
INVALID LENGTH	The ASN for this announcement is covered by one or more of your ROAs. However, the prefix is more specific than allowed.
SEEN	This is a ROA you created which allows at least one known BGP announcement. Note it may also disallow one or more other announcements. You can show details if you click on the '>' icon.
TOO PERMISSIVE	This ROA uses the max length field to allow multiple announcements, but Krill does not see all most specific announcements in its BGP information.
REDUNDANT	This is a ROA you created which is included in full by at least one other ROA you created. I.e. you have a ROA for the same ASN, covering this prefix and including the maximum length.
NOT SEEN	This is a ROA you created but it does not cover any known announcements. This may be a ROA you created for a backup or planned announcement. On the other hand, this could also be a stale ROA in which case it is better to remove it.
DISALLOWING	This is a ROA for which no allowed announcements are seen, yet it disallows one or more announcements. If this is done on purpose it may be better to create a ROA for ASN 0 instead.
AS0	This is a ROA you created for a prefix with ASN 0. Since ASN 0 cannot occur in BGP such ROAs are effectively used to disallow announcements of prefixes on the global BGP table.
REDUNDANT (AS0)	An AS0 ROA is considered redundant in case you have at least one ROA covering the entire prefix for a real ASN. In such cases this ROA does not provide any further protection on top of that existing ROA.

In addition to this we have included some small improvements for the Krill Publication Server. To install Krill 0.8.1 you can use Cargo, the Rust package manager, or use the packages for Debian and Ubuntu we provide on https://packages.nlnetlabs.nl

Related links:

NLnet Labs becomes a CVE Numbering Authority (CNA)

2020-10-28T18:00:00+01:00

We are delighted to announce that NLnets Labs joins over 140 other leading technology organisations authorised to be a Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA).

Common Vulnerabilities and Exposures (CVE) is an international, cybersecurity, community effort that maintains a list of standarised common identifiers for publicly disclosed cybersecurity vulnerabilities and exposures. CVE Numbering Authorities (CNAs) are organisations from around the world that are authorised to assign CVE numbers to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

We are joining this community effort to help address the CVE Program's primary challenge to satisfy the demand for timely, accurate CVE number assignments and the evolving state of vulnerability management. By being a CNA we will be able to:

Streamline vulnerability disclosure processes;
Assign CVE numbers without having to share embargoed information with another CNA;
Control the CVE publication release process for vulnerabilities in our scope (NLnet Labs products).

You can read about our disclosure policy and how to contact us securely at our security report page. Security advisories for all the products can be found here or at each product's own page.

Related links:

MITRE announcement

Krill 0.8.0 'The Art of ROA Maintenance' Released

2020-10-28T13:30:00+01:00

We are happy to introduce Krill 0.8.0 'The Art of ROA Maintenance'. In this version we have added further refinements to the ROA management interface to give users the confidence that their authorisations accurately reflect their BGP announcements.

The first of these improvements are warnings about ROAs that are too permissive, meaning that they allow more announcements than what is seen in BGP. This encourages users to apply best operational practices. Secondly, Krill will not allow the creation of redundant ROAs, or ROAs that would make other ones redundant. Lastly, there is now support for AS0 ROAs, which are explicit statements that specify which prefixes should never be seen on the public Internet.

The backend has several improvements and refinements as well, such as allowing aggregation of ROAs to lower the number of objects, and improved reporting on communication with parents and repository. To make Krill more resilient, we have added recovery functionality in case data on disk is incomplete due to for example a full disk or failed system. In relation to this, we now ensure Krill stops in case data cannot be written to disk to prevent inconsistent states. Lastly, Krill does a full re-synchronisation with its parents and the repository on startup.

With this release we have also started to operate a Krill testbed service. The testbed offers both a parent CA and a repository. As such you can just run a Krill instance, on a laptop even, without the need to operate real infrastructure for testing.

It allows you to register any resources for your Child CA, allowing you to test with your real resources. Because this testbed uses its own TEST Trust Anchor — ROAs created here will not end up being used by production routers.

You can find the test service here: https://testbed.rpki.nlnetlabs.nl/

To install Krill 0.8.0 you can use Cargo, the Rust package manager, or use the packages for Debian and Ubuntu we provide on https://packages.nlnetlabs.nl

Related links:

"Testing .. 123 Delegated RPKI", blog post on the RPKI testbed service
Release notes
Krill Github repository
Krill Documentation
NLnet Labs RPKI Tools

Routinator 0.8.0 ‘Strikes and Gutters, Ups and Downs’ released

2020-10-19T15:00:00+02:00

We are happy to announce the latest release of Routinator, version 0.8.0 ‘Strikes and Gutters, Ups and Downs.’

This release brings major changes to the way Routinator validates the objects published in the RPKI repository. It mostly follows the rules proposed by draft-ietf-sidrops-6486bis currently discussed in the SIDROPS working group of the IETF.

The most important change is that if any object published by a CA is found to be invalid, the entire CA – including all its objects – is rejected. This means that none of its ROAs are included nor are any of its child CAs even being looked at. This avoids a possible situation where a legitimate route is being marked as RPKI invalid because only a subset of the ROAs covering its prefix were considered valid and used. This change resolves CVE-2020-17366.

Even with this revised strategy such an invalidation of a valid route can, however, still occur if the covering ROAs are spread over multiple CAs via a parent of a rejected CA. In order to avoid these cases, this release contains an experimental feature we dubbed ’filtering of unsafe VRPs.’ It can be enabled via the --unsafe-vrps=reject option and will cause all VRPs overlapping any address prefix delegated to a rejected CA to be filtered out of the final VRP set.

This feature is disabled by default since we aren’t quite sure of the potential impact of such a filter in practice. To gain some practical insights, Routinator will log all the VRPs it would have filtered if the feature were enabled.

The rules proposed by the draft also suggest to consider any stale manifests and CRLs to be invalid. Routinator now follows this proposal by changing the default for the --stale option to reject.

There are, however, two diversions from the current form of the proposal. For one, consensus has not been reached on the proposed strategy to reject any object of an unknown type as this has consequences on introducing new object types to the RPKI. Routinator will instead check that unknown objects are published and have a hash digest corresponding to that stated in the manifest and accept (and subsequently ignore) them if they do.

The proposal also suggests to use previously valid data from a CA that is rejected if such data is available and would still be valid. Unfortunately, the current repository synchronization strategy implemented in Routinator overwrites all previous data when fetching from upstream. This reuse will be addressed in the next release.

In addition to these big changes, there are a number of small changes. You can read about all of them in the release notes.

Finally, users of Debian and Ubuntu might be interested in our unofficial package archive which now also contains packages for Routinator. See packages.nlnetlabs.nl for more information.

Related links:

NSD 4.3.3 released

2020-10-08T09:00:00+02:00

Today, we released version 4.3.3 of the authoritative DNS nameserver NSD.

This release contains the DNS Flag Day 2020 fixes. This sets the default EDNS buffer size to 1232, that should reduce fragmentation. https://dnsflagday.net/2020/

There is a new feature where it is possible to list an interface by name. This pulls in the IP addresses associated with the interface at server start.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.12.0 released

2020-10-08T09:00:00+02:00

We are pleased to announce the release of version 1.12.0 of the Unbound recursive DNS resolver.

This release contains the DNS Flag Day 2020 changes. This sets the default EDNS buffer size to 1232, that should reduce fragmentation. https://dnsflagday.net/2020/

There is inclusive language in the configuration. There is caps-exempt, ipsecmod-allow and primary server options for auth-zones. The older terms are accepted to keep configuration working.

DNS-over-HTTPS is supported in this release. The DoH is enabled when Unbound is compiled with the nghttp2 library, with configure --with-libnghttp2. Then have an interface on the https port, that can be configured with the https-port option. Also have a cert and key available with the tls-service-key and tls-service-pem options. Further settings can be configured for the http-endpoint, http-max-streams, http-query-buffer-size, http-response-buffer-size and http-nodelay options. The max streams sets the maximum concurrent streams, the buffer size options the number of bytes in buffers, and the nodelay option can turn on TCP_NODELAY for DNS-over-HTTPS service. In the statistics the memory used is reported in mem.http.query_buffer and mem.http.response_buffer. The number of queries is reported in num.query.https, they are also included in the tcp and tls counts because https uses TLS and TCP.

The DLV options and code to handle DLV lookups have been removed from the code base. The DLV repository is empty nowadays, it has been decommissioned.

There is a new feature where it is possible to use interface names to bind to the IP addresses on that interface. It pulls in the addresses at the start of the server, if the addresses change, use the existing freebind and other socket options to register for addresses before they appear, or the interface-automatic option that copies them from queries to answers with ancillary data.

There is a new option for the edns-tag draft specification. It can be enabled if you need the tentative implementation to add those tags to outgoing messages.

For a full list of changes and binary and source packages, see the download page.

Related links:

Unbound 1.11.0 released

2020-07-27T11:00:00+02:00

We are pleased to announce the release of version 1.11.0 of the Unbound recursive DNS resolver.

This release contains a number of bug fixes. Also new features are introduced. The configure --with-dynlibmodule enables dynamic library support that can have code modules function like the python library scripts. It allows to load multiple dynlib instances. The new include-toplevel: <file or wildcard> configuration option allows to include a directory with config files where every config file does not modify the config section for the later files so that the include order is idempotent. This makes it much easier to drop files into a config snippet directory in etc and manage that set of config files, without for example one config file starting a stub section and creating parse errors in another config file with server options.

The rrset-roundrobin option is now default to yes. This is more in line with what users expect. The KSK-2010 has been removed from our default key set output. The option prefer-ip4 can be used to prefer ip4 over ip6 when reputation for the ip6 netblock is shared with other users.

There is also a dnstap implementation inside Unbound. This removes the dependency on the libfstrm library. The protobuf library is still used. The fstrm protocol code resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This contains a brief definition of what unbound needs.

The make unbound-dnstap-socket builds a debug tool, unbound-dnstap-socket. It can listen, accept multiple DNSTAP streams and print information. Commandline options control it.

Unbound can reconnect if the unix domain socket file socket is closed. This uses exponential backoff after which it uses a one second timer to throttle cpu down. There is also support to use TCP and TLS for connecting to the log server. There are new config options to turn them on, in the dnstap section in the man page and example config file. dnstap-ip with IP address of server for TCP or TLS use. dnstap-tls to turn on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle, dnstap-tls-client-key-file and dnstap-tls-client-cert-file to configure the certificates for server authentication and client authentication, or leave at "" to not use that. With dnstap-bidirectional the frame streams can be set to bidirectional or unidirectional connection mode.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.3.2 released

2020-07-14T14:00:00+02:00

Today, we released version 4.3.2 of the authoritative DNS nameserver NSD.

This release fixes a number of bugs, and adds options to set log-only-syslog and min-expire-time in nsd.conf and nsd -v for configure line and library versions.

You can get source packages of this version from the downloads page.

Related links:

Krill 0.7.2 'Small Bites' Released

2020-06-29T13:30:00+02:00

This release fixes an issue where BGP RIS Dump files that were not properly retrieved would cause a thread to choke. As this can lead to lock poisoning this type of event could cause other Krill processes to stop functioning properly. All users of Krill 0.7.0 and 0.7.1 are advised to upgrade.

In addition to this bugfix, Krill now also speaks German.

Zertifizierungsstellen

You can read more about Krill's ROA management based on BGP announcements in our blog post.

Related links:

Krill 0.7.1 'Sobremesa' Released

2020-06-25T13:30:00+02:00

We are incredibly excited that six months after the first release of Krill it already powers delegated RPKI for over 150 organisations. Today we are launching Krill 0.7.1 'Sobremesa', the biggest update yet of our open source RPKI Certificate Authority software. This version lets you create and maintain Route Origin Authorisations (ROAs) based on your BGP announcements. This makes it incredibly easy to manage ROAs.

Krill already lets you manage and publish ROAs seamlessly across multiple Regional Internet Registries. Now Krill will also tell you what the effect is of all ROAs that you created, indicating which announcements seen in BGP are authorised and which ones are not, along with the reason. This ensures your ROAs accurately reflect your intended routing at all times.

A concise overview of all your ROAs and BGP announcements with your address space

All status and validity information is clearly displayed in the user interface, giving you an immediate insight into which ROAs and BGP announcements require your attention. Announcements with an Invalid or NotFound state can be authorised with just a few clicks and will be published immediately. Krill will also inform you if there are any ROAs that don't seem to affect any announcements at all, allowing for easy housekeeping.

In addition to all of this new functionality, we now also provide Krill packages for recent Debian and Ubuntu releases and we added a Dutch translation for the UI.

Please ensure you follow the upgrade instructions to safely run the latest version. If you run the Krill 1-Click App through the DigitalOcean Marketplace or the AWS Marketplace you can simply run krillmanager upgrade to install the latest release.

You can read more about these new features in our blog post.

Related links:

Routinator 0.7.1 ‘Moonlight and Love Songs’ released

2020-06-16T15:00:00+02:00

We are happy to announce the latest release of Routinator, version 0.7.1 ’Moonlight and Love Songs.’

While this release is primarily a maintenance release, updating the versions of the libraries used, it brings one interesting change: The TALs included now contain HTTPS URIs for the trust anchor certificates of four of the five RIRs.

Originally, the trust anchor certificates – like everything else in RPKI – were downloaded using rsync. With RRDP now allowing to download RPKI data using HTTPS and option was added in RFC 8630 allow downloading the trust anchor certificates directly via HTTPS. Routinator is supported this since version 0.6 and now all four RIRs that support RRDP have also published their trust anchor certificate via HTTPS.

Consequently, we have updated the TALs that come with Routinator to include the HTTPS URIs for these locations. Starting with the release, Routinator will also prefer HTTPS URIs over rsync URIs unless the use of RRDP has been disabled.

Since Routinator uses the TALs stored on disk, you will need to re-install the set of TALs using the command routinator init -f in order for the new URIs to become effective.

You can find the complete list of changes in the release notes and more information on Routinator on Github.

Related links:

Researching a New NSD Database: Adaptive Radix Tree

2020-06-11T10:00:00+02:00

NLnet Labs' authoritative nameserver NSD currently supports two different data structures for its main memory database: red-black tree en radix tree. Both data structures have their strengths and weaknesses, red-black tree implementation is more memory efficient and the radix tree is more performant (faster). Jeroen Koekkoek explores a new data structure for NSD database, namely adaptive radix tree. This data structure was proposed in 2013 and is designed for modern computer systems for which it offers great performance and space efficiency.

Jeroen has written a blog post where he introduces the adaptive radix tree and details how the data structure can be used for a nametree and what design decisions have been made to fit the nametree on modern CPUs with SIMD instruction support.

Related links:

Blog post

Unbound 1.10.1 released

2020-05-19T10:00:00+02:00

We are pleased to announce the release of version 1.10.1 of the Unbound recursive DNS resolver.

This release fixes CVE-2020-12662 and CVE-2020-12663.

For a full list of changes and binary and source packages, see the download page.

Related links:

Krill 0.6.0 'Go with the Flow' Released

2020-05-18T13:30:00+02:00

A few days ago we released Krill 0.6.0 'Go with the Flow'. The most visible change in this release is that the embedded user interface now includes French, Greek and Spanish translations.

The Krill user interface in Greek

The vast majority of the work went into making Krill use Rust's asynchronous code. We migrated from actix-web to Hyper. Hyper is a fast, safe and fully asynchronous web framework which has a lot of momentum behind it. This change also meant that we needed to ensure that Krill itself uses safe asynchronous code whenever it connects to a remote system, like a parent or repository, or in case of the CLI the Krill API itself.

In addition to this we improved the history API to ensure that Krill will no longer use an excessive amount of history in cases where a CA has a long history. The API is still subject to change, and therefore we will only document this in future. In the meantime however, the CLI may be used to show the history of your CA.

Since releasing Krill 0.6.0 we discovered that a problem could arise as a result of the Krill Repository Server deleting RRDP snapshot files as soon as a new notification file is published. This leads to issues in case a cached notification file is served to validators. As a result, we have also released version 0.6.1 and 0.6.2 in quick succession to ensure that old snapshot files are kept for 10 minutes.

Related links:

Krill available on the AWS Marketplace

2020-05-11T10:00:00+02:00

We are excited to announce that Krill is available as a 1-Click App on the AWS Marketplace.

The Krill 1-Click App brings together all of the puzzle pieces needed to administer and run an RPKI Certificate Authority and publication server in the AWS cloud. It allows you to easily set up Delegated RPKI with one or more Regional or National Internet Registries and seamlessly manage ROAs for all address space as a single pool. You can choose to publish ROAs yourself using the included NGINX and rsync servers, or publish with a third party.

The Krill 1-Click App builds on Docker and Gluster to scale from one of the smallest virtual machines to a fleet of AWS EC2 instances behind an AWS Elastic Load Balancer, adding availability and capacity for both RRDP and rsync clients, or use Content Delivery Network edge caching of RRDP content.

You can also get insights by streaming metrics from the provided monitoring endpoints to Prometheus and by using Fluentd outputs to send logs to targets such as Amazon S3 or a log analysis provider of your choice. The included Krill Manager setup wizard gets you up and running quickly using an optional, automatically managed Let's Encrypt TLS certificate.

Watch the introduction video to the Krill 1-Click App on YouTube.

Related links:

Routinator 0.7.0 ‘Your Time Starts … Now’ released

2020-05-06T15:00:00+02:00

We are happy to announce the latest release of Routinator, version 0.7.0 ’Your Time Starts … Now.’

The most important changes in this release are internal. We’ve updated the processing and server logic to the advances made in the Rust ecosystem for easier parallel processing often called ’async/await.’ With this work completed, we believe that there are no major hurdles left towards a stable 1.0 release of Routinator.

We have also tightened the rules for validation of RPKI objects based on community feedback. Routinator now discards CRLs that are mentioned on certificates and are present in the repository but fail to appear on their manifests or don’t match their manifest hash. This results in these objects being invalid.

An option was added to change how Routinator deals with stale CRLs and manifests. Stale here means that they have been promised to be updated by now but that hasn’t happened. Until now, Routinator logged a warning and used them anyway. You can now select between rejecting, warning, and quietly accepting these objects via the new --stale option.

Finally, there are a few additional niceties: Routinator now can produce output for Bird and Bird 2 and all output formats are now available via the HTTP server. We have also optimized memory consumption quite a bit.

You can find the complete list of changes in the release notes and more information on Routinator on Github.

Related links:

NSD 4.3.1 released

2020-04-16T11:05:00+02:00

Today, we released version 4.3.1 of the authoritative DNS nameserver NSD.

This release fixes a number of bugs, and fixes a bug for FreeBSD start.

You can get source packages of this version from the downloads page.

Related links:

Krill available on the DigitalOcean Marketplace

2020-04-14T10:00:00+02:00

We are delighted to announce that Krill is now available as a 1-Click App on the DigitalOcean Marketplace.

It was already easy to get started with Krill, our RPKI Certificate Authority and publication server software, as you could install and run it from a clean system with just seven commands.

Now we're taking ease of use and powerful management to the next level. The 1-Click App on the DigitalOcean Marketplace doesn't just deploy Krill, but adds NGINX, Rsyncd, Docker, Gluster, automated TLS configuration, Prometheus monitoring, log streaming and clustering capabilities out-of-the-box. A $5 a month DigitalOcean Droplet is fine for most workloads, but you can scale up in a few simple steps.

These capabilities are made possible by Krill Manager, a tool for running Krill as a highly available scalable service with integration points for monitoring and log analysis. Krill Manager offers an automated setup wizard and is able to upgrade itself, as well as the components that it manages such as Krill, NGINX and Rsync.

Watch the introduction video to the Krill 1-Click App on YouTube. It walks through deploying the package on a Droplet, automatically requesting a Let's Encrypt certificate, setting up delegated RPKI under an RIR and publishing ROAs on our own server in just 6 minutes, real-time.

Try out the Krill 1-Click App by clicking this link. For first time users, the link contains a referral code which gives you $100 60-day credit.

Related links:

NSD 4.3.0 released

2020-03-17T11:05:00+01:00

Today, we released version 4.3.0 of the authoritative DNS nameserver NSD.

This release adds CPU affinity. By pinning a server process to a specific CPU, having a separate network card also for that CPU, and an interface address also for that server process, the throughput is increased. This increases performance of the nameserver.

Sparse TSIG signing support is removed, to comply with the latest TSIG standard update draft.

There is a feature to drop update queries, with opcode UPDATE, with nsd.conf option drop-updates.

You can get source packages of this version from the downloads page.

Related links:

Krill 0.5.0 'Serve no Turf' Released

2020-02-25T12:30:00+01:00

We are very excited about introducing Krill 0.5.0 'Serve No Turf'. This release is a major step forward for the project, improving the installation, onboarding, interoperability and usability of Krill.

The most prominent change you will notice is that Krill now offers a multi-language user interface, allowing you to set up a Certificate Authority, perform the parent exchanges with one or more Regional and National Internet Registries, configure a publication server and manage Route Origin Authorisations (ROAs).

The UI is managed as a separate open source project, named Lagosta. It uses Vue.js as Javascript framework and Element as UI framework. The first release, Lagosta 0.1.0 'Fritto Misto', offers everything to get started with Krill. You can expect the UI to evolve heavily over time, including ROA suggestions, tagging and alerts. The user interface is compiled as static HTML and JS, which is bundled in the Krill package. We're proud that this addition resulted in just an 8MB increase of memory usage, making Krill still completely capable of running on minimalist hardware such as a Raspberry Pi.

But the UI is not the only major change in version 0.5.0. The documentation received an overhaul, clearly laying out every aspect of the software. Krill can now be installed from a new Linux machine in just seven steps, greatly simplifying the process. You can them immediately start using it using either the UI, CLI or API. Lastly, Krill now also offers a Prometheus monitoring end point.

Finally, we ironed out some interoperability issues with ARIN and APNIC, ensuring Krill works reliably with all RIRs. We wish to thank Cynthia Revström for the fantastic help she provided in ironing out some issues we found when setting up Krill under ARIN.

You can find out more about the development and features in our blog post.

Related links:

Unbound 1.10.0 released

2020-02-20T14:00:00+01:00

We are pleased to announce the release of version 1.10.0 of the Unbound recursive DNS resolver.

The 1.10.0 release has RPZ support and serve stale functionality according to draft draft-ietf-dnsop-serve-stale-10. And a number of other, smaller, features, and bug fixes.

The DNS Response Policy Zones (RPZ) functionality makes it possible to express DNS response policies in a DNS zone. These zones can be loaded from file or transferred over DNS zone transfers or HTTP. The RPZ functionality in Unbound is implemented as specified in draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data.

Enabling the respip module using module-config is required to use RPZ. Each RPZ zone can be configured using the rpz clause. RPZ clauses are applied in order of configuration. Unbound can get the data from zone transfer, a zonefile or https url, and more options are documented in the man page. A minimal RPZ configuration that will transfer the RPZ zone using AXFR and IXFR can look like:

server:
    module-config: "respip validator iterator"

rpz:
    name: "rpz.example.com" # name of the policy zone
    master: 192.0.2.0       # address of the name server to transfer from

The serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10 is now supported in unbound. This allows unbound to first try and resolve a domain name before replying with expired data from cache. This differs from unbound's initial serve-expired behavior which attempts to reply with expired entries from cache without waiting for the actual resolution to finish. Both behaviors are available and can be configured with the various serve-expired-* configuration options. serve-expired-client-timeout is the option that enables one or the other.

The DSA algorithms have been disabled by default, this is because of RFC 8624.

There is a crash fix in the parse of text of type WKS, reported by X41 D-Sec.

In addition, neg and key caches can be shared with multiple libunbound contexts, a change that assists unwind. The contrib/unbound_portable.service provides a systemd start file for a portable setup. The configure --with-libbsd option allows the use of the bsd compatibility library so that it can use the arc4random from it. The stats in contrib/unbound_munin_ have num.query.tls and num.query.tls.resume added to them. For unbound-control the command view_local_datas_remove is added that removes data from a view.

For a full list of changes and binary and source packages, see the download page.

Related links:

NLnet Labs adopts a Code of Conduct

2020-02-10T14:19:00+01:00

We have adopted a code of conduct for NLnet Labs. As of February 2020, this code of conduct applies to all our projects and our interactions with the community. To explain a little bit more about why we adopted a code of conduct, and how we went about the writing process, we have published a post on our blog.

Related links:

OpenDNSSEC 2.1.6 released

2020-02-10T11:30:00+01:00

The OpenDNSSEC 2.1.6 release fixes a number of issues with regard to the key list that was displayed incorrectly (a regression error in 2.1.5) and a small memomry leak in the enforcer (which can add up if you bang the enforcer with a lot of commands). And also a serious signing error when using Combined Signing Keys (CSKs); only relevant if you combine KSK and ZSK in one. CSK users in particular now need this fix. Another nice fix is a reconnect to a MySQL/MariaDB database for which you do not have to adjust any database parameters.

The 2.1.6 release is available immediately from the download site.

Fixes

OPENDNSSEC-913: verify database connection upon every use.
OPENDNSSEC-944: bad display of date of next transition (regression).
SUPPORT-250: missing signatures on using combined keys (CSK).
OPENDNSSEC-945: memory leak per command to enforcer.
OPENDNSSEC-946: unclean enforcer exit in case of certain config problems.
OPENDNSSEC-411: set-policy command to change policy of zone (experimental). Requires explicit enforce command to take effect.

For OpenDNSSEC 2.1.6 download and additional information:

OpenDNSSEC 2.1.6 release announcement

In Memory of Bill Manning

2020-01-26T00:00:00+01:00

We have just learned from friends that Bill Manning died last night. Bill was a member of the original Unbound design team in 2006, and as such instrumental for the success of Unbound resolver.

From the doc/requirements.txt document that is distributed with the Unbound source code:

The Unbound resolver project started by Bill Manning, David Blacka, and Matt Larson (from the University of California and from Verisign), that created a Java based prototype resolver called Unbound. The basic design decisions of clean modules was executed.

Krill 0.4.2 'Finer Things' Released

2020-01-06T16:00:00+01:00

We would like to kick off the new year with the launch of Krill 0.4.2 'Finer Things'. This release fixes a bug and introduces usability improvements based on the experiences users have had with running Krill since the production launch, several weeks ago.

The bug we fixed revolves around some adjacent resources being encoded incorrectly. The fix has been thoroughly tested in production and now, with the holidays behind us, we can make this available to everyone. We recommend every user to upgrade.

Another thing we noted is that several users left the publication point of Krill set to the default of localhost. This caused quite some cluttering up of Relying Party software logs, looking for non-existent certificates and ROAs on the local file system.

To prevent this, a new CA is now set up without a default repository and one must be explicitly configured before a parent can be added to a CA. For most users we recommend that a remote repository is used, e.g. one provided by their RIR or NIR. Alternatively, you can choose to publish your RPKI objects yourself.

Lastly we have made a number of smaller usability improvements, error handling and better defaults you can read about in detail in the release notes.

Related links:

Krill 0.4.1 'Fogo de Krill' Released

2019-12-13T15:00:00+01:00

We are happy to launch Krill 0.4.1 'Fogo de Krill'. This is a bug fix release and we recommend everyone running Krill to update to this version.

Krill now powers the RPKI service that Brazilian National Internet Registry NIC.br offers. During the production launch we uncovered a corner case bug where certain resource sets were handled incorrectly. This has now been resolved. In addition, we added an additional safety measure to ensure that Krill does not allow impossible maximum length values for ROAs.

Related links:

Unbound 1.9.6 released

2019-12-12T10:00:00+01:00

We are pleased to announce the release of version 1.9.6 of the Unbound recursive DNS resolver.

This release contains a number of security related fixes, contributed by X41 D-Sec. They have conducted a security audit of Unbound, funded by OSTIF. The previous CVEs fixed in 1.9.4 and 1.9.5 were the most important ones, less important fixes and side findings for more robust code have been included in this release, alongside a normal number of bug fixes.

The sort order for included config snippets is now ascending by name, it previously was reversed due to an oversight. Most config snippets do not depend on the order as they add a stub or forward zone or some server: section config entries.

For a full list of changes and binary and source packages, see the download page.

Related links:

Mailing list migration

2019-12-12T00:00:00+01:00

We are migrating our mailing lists over to MailmanLists.

On December 16th 2019 all mailing lists will be migrated to MailmanLists. The opportunity will also be used to move mailing lists to dedicated subdomains.

nlnetlabs.nl lists will be moved to lists.nlnetlabs.nl
lists.opendnssec.org lists will remain at lists.opendnssec.org
getdnsapi.net lists will be moved to lists.getdnsapi.net

Existing users will be automatically subscribed to the new lists and care is taken to make the transition as smooth as possible. During the migration though, mailing lists may be unreachable.

From December 16th 2019 please direct questions to the new lists and ensure any filters you may have configured are updated to recognize the new address.

NSD 4.2.4 released

2019-12-10T13:43:00+01:00

Today, we released version 4.2.4 of the authoritative DNS name server NSD.

This release mainly fixes regressions in the configuration file parser for the minimal-responses: yesno, round-robin: yesno and log-time-ascii: yesno options. There are some portability fixes too, make distclean will now cleanup config.h and a maintainer-clean target has been added that will also remove the bison and flex output.

You can get source packages of this version from the downloads page.

Related links:

Krill 0.4.0 'The Krill Factor' Released

2019-12-03T12:00:00+01:00

We are incredibly proud to introduce Krill 0.4.0 'The Krill Factor'. This release is the culmination of one and a half years of designing, building, testing and documenting our RPKI Certificate Authority (CA) and Publication Server solution.

Ready for Production Use

The first three releases of Krill were meant to test the implementation. With Krill 0.4.0 'The Krill Factor', we are confident that the software can be used reliably with all five Regional Internet Registries (RIRs) and its Route Origin Authorisations (ROAs) are correctly validated by all Relying Party software implementations. As a result, NLnet Labs is now running Krill in production under the RIPE NCC parent CA.

With Krill 0.4.0 'The Krill Factor', operators can now generate and publish RPKI cryptographic material themselves to authorise their BGP announcements. It supports running RPKI under all five RIRs simultaneously and transparently, so if you have IP address space in multiple regions you can manage it as a single pool. Krill can also delegate to child organisations or customers who, in turn, run their own CA. The built-in publication server lets operators publish certificates and ROAs from their own infrastructure. Alternatively, you can use a third party which offers RPKI publication as a service. In short, all essential functions to run RPKI yourself using Krill are now available.

Future Development

Krill can be managed using a Command Line Interface (CLI), as well as an Application Programming Interface (API). An optional web-based user interface is currently being developed as a separate project, named Lagosta. With Krill 0.4.0 'The Krill Factor' data storage and the API are now stable, allowing for seamless updates going forward. This release serves as a starting point for further development throughout 2020 and beyond, where we will work on features such as high availability and support for just-in-time authorisations integrated tightly with internal routing management.

Commercial Support

Starting with Krill 0.4.0 and Routinator 0.6.0 we are offering commercial support for our RPKI software solutions, in case this is a requirement for your organisation or if you want to support the future development of the software. The service-level agreement (SLA) contract and security policy is on par with our DNS software NSD and Unbound. End of support for the software will be publicly announced two years in advance. Krill is licensed under the Mozilla Public License 2.0. Routinator and all libraries that are built to support the RPKI toolset are licensed under the BSD 3-Clause License.

Sustainable Open Source

Once again, we would like to extend our gratitude to NIC.br, the RIPE NCC Community Projects Fund, the Dutch National Cyber Security Centre and the Mozilla Open Source Support Fund for financially supporting the development of Krill, as well as our Relying Party software package Routinator. In addition, our thanks go out to DigitalOcean for offering their cloud infrastructure for our automated test platform, Fastly for their CDN services, as well as Juniper, Cisco and Nokia for providing us with virtual routers for testing. These organisations make it possible for us to develop free, open source software in a sustainable way. Please reach out to us if you want to join this effort.

Related links:

Routinator 0.6.3 ‘That Escalated Fast’ released (Updated)

2019-11-28T15:00:00+01:00

Updated: This release contained a critical bug that caused Routinator to completely hang on occasion. We have released Routinator 0.6.4 ‘Jeepers’ to fix this issue.

We are happy to announce the latest release of Routinator, version 0.6.3 ’That Escalated Fast.’

This release primarily fixes an issue where all RRDP requests would time out in detached server mode, i.e., if server mode is invoked with the -d option. Because Routinator only falls back to rsync if an RRDP fetch for a given repository has never succeeded and otherwise uses the data previously fetched (assuming that the RRDP failure was only of a temporary nature), this caused the eventual loss of the RIPE and APNIC regions’ ROAs if Routinator was ever run in a different way before.

But it is not all bleak news, there is a new feature, too. Veit Heller kindly contributed code to make Routinator reload the TALs and restart validation in server mode when signal USR1 is sent to it. This can be used both to notify Routinator of a change in the set of TALs without having to tear down all RTR sessions as well as kicking off a new validation run before the refresh time has passed.

You can find the complete list of changes in the release notes and more information on Routinator on Github.

Related links:

Routinator 0.6.2 ‘Distiller’s Edition’ released

2019-11-20T15:00:00+01:00

We are delighted to announce the latest release of Routinator, version 0.6.2 ’Distiller’s Edition.’

There aren’t any new features in this release. Rather, it is a collection of bug fixes and minor improvements that have been implemented over the last weeks. You can read the detailed list of these in the release notes.

Related links:

NSD 4.2.3 released

2019-11-20T08:15:00+01:00

Today, we released version 4.2.3 of the authoritative DNS name server NSD.

This release has log fixes, features of confine-to-zone and startup management, an implementation changes in the configuration parser and socket handling code simplifications. The implementation changes make the parser context aware, which is useful for the syntax of (future) config options. The socket handling code was rewritten to split it apart in separately handleable routines.

The confine-to-zone: yesno option from Greg Bock, if enabled stops NSD from responding with data outside of the zone the query was aimed at. Answers contain data that comes from one zone only.

The startup management patch for s6 and other service supervisors from Cameron Nemo can be used to signal readiness notification to them, it is in contrib. With that there is the new option that an empty pidfile statement (pidfile: "") in nsd.conf can be used to run NSD without having NSD create an nsd.pid file at startup.

There is fix for the sort order of included configuration files with the include: statement. Due to a programming oversight it was sorted, but in reverse. Files are now included in the sorted order. Mostly, if files contain configuration snippets of different zones, or config about different features, the include order should not matter for them.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.9.5 released

2019-11-19T10:00:00+01:00

We are pleased to announce the release of version 1.9.5 of the Unbound recursive DNS resolver.

This release is a fix for vulnerability CVE-2019-18934 that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered when all of the below conditions are met:

unbound was compiled with --enable-ipsecmod support, and
ipsecmod is enabled and used in the configuration (either in the configuration file or using unbound-control), and
a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and
unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available.

The shell code execution can then happen if either the qname or the gateway field of the IPSECKEY (when gateway type == 3) contain a specially crafted domain name.

We would like to thank X41 D-Sec for notifying us about this vulnerability and OSTIF for sponsoring the Unbound security audit.

For a full list of changes and binary and source packages, see the download page.

Related links:

Best Paper Award for DNSSEC Root Key Rollover Paper

2019-11-08T09:00:00+01:00

A team of researchers including two NLnet Labs staff members has won the best paper award at the Internet Measurement Conference 2019. Their paper, entitled "Roll, Roll, Roll Your Root" gives an in-depth analysis of the DNSSEC Root KSK Rollover that took place over 2017-2018. It shows that while the rollover generally did not lead to problems for end users, under the hood, a number of issues occurred that led to worries in the DNS operations community. The paper identifies the causes of these issues, supporting the DNS community in improving implementations and procedures for future rollovers.

The IMC programme committee called the paper "a particularly fine example of a well-executed, well-timed paper" during the award ceremony.

The research team that worked on the paper is a showcase of a strong collaboration between academia and industry. With representatives from the University of Twente, SIDN Labs, NLnet Labs, USC/ISI, RIT and Verisign, the team covered the breadth of the DNS community.

From left to right: Philippa Gill (TPC chair), Roland van Rijswijk-Deij (NLnet Labs / UTwente), Robert Beverly (TPC chair), Moritz Müller (SIDN Labs / UTwente), Duane Wessels (Verisign), Tijay Chung (RIT), Willem Toorop (NLnet Labs) -- photo credit: Mattijs Jonker (University of Twente)

About IMC 2019

The Internet Measurement Conference (IMC) is an annual conference that aims to present top quality work in the area of Internet measurements. IMC 2019 was the 19th edition of the conference and took place October 21-23 in Amsterdam, The Netherlands. The conference was hosted by the University of Twente at the KIT Royal Tropical Institute. NLnet Labs' principal scientist Roland van Rijswijk-Deij was one of the general chairs of the conference, and NLnet Labs was bronze supporter of the conference.

Read the paper: Roll, Roll, Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover
View the video registration of the presentation
Learn more about IMC 2019 on the conference website

Longitudinal RPKI study presented at IMC 2019

2019-11-08T08:30:00+01:00

Two NLnet Labs team members, Tim Bruijnzeels and Roland van Rijswijk-Deij, contributed to a longitudinal study of the RPKI ecosystem. The study, presented at the Internet Measurement Conference 2019, analyses the development of RPKI since its inception in 2011. The study uses an open data set of all RPKI repositories collected and made available by RIPE. The most important conclusion from the study is that "RPKI is ready for the big screen" with a significant increase in data quality over the past two years.

The team that worked on this paper was a collaboration between academia and industry, with members from Rochester Institute of Technology, the University of Twente, NLnet Labs, Northeastern University, RIPE NCC, Max Planck Institut für Informatik, University of Maryland, Duke University, Akamai and Cloudflare.

Tijay Chung (Rochester Institute of Technology) presents the paper at IMC 2019 -- photo credit: Roland van Rijswijk-Deij

About IMC 2019

Want to start deploying RPKI? Read more about the RPKI tools that NLnet Labs develops.
Read the paper: RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins
View the video registration of the presentation
Learn more about IMC 2019 on the conference website

OpenDNSSEC 2.1.5 released

2019-11-05T11:30:00+01:00

The previous release fixed an important issue, but unfortunately left in a memory leak, which this release fixes. This release of 2.1.5 fixes the memory issue, along with some additional issues primarily relating to minor migration reporting and configuration.

The 2.1.5 release is available immediately from the download site. Installations still on the 1.4 release should really upgrade to this version as it has been tested enough by major players.

Fixes

SUPPORT-245: Resolve memory leak in signer introduced in 2.1.4.
SUPPORT-244: Don’t require Host and Port to be specified in conf.xml when migrating with a MySQL-based enforcer database backend.
Allow for MySQL database to pre-exist when performing a migration, and be a bit more verbose during migration.
Fix AllowExtraction tag in configuration file definition.
SUPPORT-242: Skip over EDNS cookie option.
SUPPORT-240: Prevent exit of enforcer daemon upon interrupted interaction with CLI commands (when having > 1000 zones and aborting a pipe).
Correct some error messages.

For OpenDNSSEC 2.1.5 download and additional information:

OpenDNSSEC 2.1.5 release announcement

Krill 0.2.0 'Interkrillactic, Planetary' released

2019-10-21T11:00:00+02:00

We are incredibly happy to introduce Krill version 0.2.0 'Interkrillactic, Planetary'. Krill is software that allows organisations to run Delegated RPKI under one or more Regional Internet Registries, i.e. ARIN, APNIC, LACNIC, AFRINIC and RIPE NCC, offering centralised and automated management of route authorisations.

If you are wondering why you didn't see an announcement of version 0.1.0 'A View to a Krill', it's because this release was for us to test the basic moving parts. This has resulted in a number of changes that are now available for you to try out and give us feedback on. In the coming weeks, we intend to do a series of releases to iron out the bugs and stabilise the functionality.

Version 0.2.0 'Interkrillactic, Planetary' was tested thoroughly under the RIPE NCC, APNIC and LACNIC parent Certificate Authorities, meaning we can successfully set up the system with a certificate containing our IP address ranges and Autonomous System Numbers. Testing with ARIN is currently ongoing, with AFRINIC planned afterwards.

Using the certificate we are now able to generate Route Origin Authorisations (ROAs) which correctly validate using almost all Relying Party software packages, including OctoRPKI, Routinator, FORT Validator, OpenBSD's rpki-client, rcynic and RIPE NCC RPKI Validator 2.x.

Despite our best efforts, RIPE NCC RPKI Validator 3.1 is currently the only software which doesn't seem to like our manifests. We will continue to investigate this issue together with the RIPE NCC and hopefully resolve it in the next release.

In addition to the interoperability testing, we also gave the Command Line Interface (CLI) a big overhaul, making it easier to use especially for users who manage one CA only. You can now use environment variables to set defaults for the Krill instance to connect to and which CA you want to operate on. Lastly, we added the --api argument which will simply print out the API call that the CLI would have made, without executing it. We plan to add proper (OpenAPI) documentation for the API, but for the moment this can help to explore it.

You can read about all the changes in the complete release notes as well as the updated documentation.

Related links:

Unbound 1.9.4 released

2019-10-03T11:30:00+02:00

We are pleased to announce the release of version 1.9.4 of the Unbound recursive DNS resolver.

This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.

We would like to thank X41 D-Sec for notifying us about this vulnerability and OSTIF for sponsoring the Unbound security audit.

For a full list of changes and binary and source packages, see the download page.

Related links:

NLnet Labs Annual Report 2018

2019-09-11T14:00:00+02:00

2018 was a great year for NLnet Labs. Our long running open source projects got a great number of improvements, we hired new staff members, started a major new project in the area of inter-domain routing and we increased our focus on research.

We are incredibly proud to be able to all of this work with the support we receive from the industry and community. You can read all about it in our Annual Report, which has also received a fresh coat of paint.

Related links:

Annual Report 2018 (PDF)

Routinator 0.6.0 ‘Pink Sombrero’ released

2019-09-10T15:00:00+02:00

We are jubilant to announce the latest release of Routinator, version 0.6.0 ’Pink Sombrero.’

This release adds support for the RPKI Repository Delta Protocol (RRDP), an alternative method of fetching RPKI data that uses HTTPS instead of rsync. RRDP will speed up synchronisation for frequently updated repositories, for instance when Routinator is running in server mode. For the RRDP implementation, most of the internal logic of Routinator has been rewired. We used this opportunity for extensive refactoring and cleanup of the code base.

One user visible consequence is that the listeners for RTR and HTTP are now started immediately instead of waiting until after the first validation run. They still will report an error message until then, but at least you won’t have to wonder whether something went wrong anymore.

There have been a few more changes. You can read all about them in the release notes. More information on the Routinator can be found on Github.

Related links:

Unbound 1.9.3 released

2019-08-27T10:00:00+02:00

We are pleased to announce the release of version 1.9.3 of the Unbound recursive DNS resolver.

This release has a number of bug fixes. Added is the ipset module, that helps add ip-addresses that are looked up in a domain to a firewall ip-address filter. Also, the python module has restart next, per-query data and multiple instance support. The unbound -V option has been added and it prints the build config.

For a full list of changes and binary and source packages, see the download page.

Related links:

Measuring the Impact of DNS Flag Day

2019-08-19T16:00:00+02:00

DNS Flag Day was the result of a collaborative effort and agreement of DNS implementers and DNS resolver operators to commit to no longer providing workarounds for non-standards-compliant authoritative nameservers as of 1 February 2019.

In the lead up to DNS Flag Day, and as part of the outreach, the focus for measurements has been the authoritative nameservers that needed to be fixed. In this post, we will take the other perspective and look at resolvers and resolver implementations — what was resolver behaviour on the Internet before DNS Flag Day, and how does the uptake of dropping workarounds disseminate in the wild?

Read the full blog post:

Measuring the Impact of DNS Flag Day

NSD 4.2.2 released

2019-08-19T11:15:00+02:00

Today, we released version 4.2.2 of the authoritative DNS name server NSD.

This release fixes a number of, smaller, bugs. Several failures are fixed in the zone file parser, reported by fuzzing from Frederic Cambus.

NSD now warns when a zonefile is parsed with SSHFP records in it with wrong lengths. The record itself is still managed normally, eg. does not cause the zone to stop loading. They are output into log, but the warnings are easily visible from the commandline using nsd-checkzone.

The release also fixes a segfault on exit, that originated from a fix in 4.2.1.

You can get source packages of this version from the downloads page.

Related links:

Progressing OpenDNSSEC

2019-07-30T16:00:00+02:00

Since the release of OpenDNSSEC 2 we’ve made incremental updates leading to the most recent 2.1.4 release. These updates all have been geared towards ironing out issues and contained only minor improvements. The frequency of updates has been modest, mostly because because of good news: we have not seen many bugs that need urgent fixing.

Read more about the details of recent developments in OpenDNSSEC 2.2 and the roadmap with new features in the full blog post:

Progressing OpenDNSSEC

ldns 1.7.1 released

2019-07-26T00:00:00+02:00

Besides many bugfixes, this release also has a few new features:

Support for DNSSEC algorithms ED25519 and ED448 when compiled with OpenSSL 1.1.1
An -I option to ldns-notify to specify a source IP address to send to notify from.
Complete OpenSSL engine support with ldns-signzone contributed by Vadim Penzin

Related links:

Routinator 0.5.0 ‘Why Not Try a Holiday in Sweden This Year?’ released

2019-07-18T15:00:00+02:00

We are rather thrilled to announce the latest release of Routinator, version 0.5.0 ‘Why Not Try a Holiday in Sweden This Year?’

This release adds actual RPKI origin validation to Routinator itself. An address prefix and AS number can now be checked for its RPKI status on the command line via the new validate command or via the HTTP server. The latter is done provided in a way compatible with the API provided by the RIPE NCC RPKI Validator.

The release also includes some breaking changes to the Prometheus metrics. Back when we introduced those, we chose names for the metrics that didn’t start with a prefix allowing to identify them as being from Routinator. This is now corrected and all metrics start with routinator_. While at it, we added new metrics for the rsync commands being run by Routinator, showing both their exit status codes and how long they took.

In addition, there has been quite a few internal plumbing changes. One more visible change is that Routinator will now delete the data for rsync modules that aren’t referenced anymore, keeping the local repository clean and small.

You can read about all the changes in the complete release notes. More information on the Routinator can be found on Github.

Related links:

NSD 4.2.1 released

2019-07-09T10:00:00+02:00

Today, we released version 4.2.1 of the authoritative DNS name server NSD.

This release fixes issues in the stream handling, from 4.2.0, but also earlier, in the event handling of streams.

The new statistics counters for TLS can give information about how many incoming DNS over TLS connections for queries have been received.

There are two new options to set the buffer sizes for the network sockets, this allows an increase for servers that want a bigger size than the default, which is already an increase over the system default. Increased buffer size for a network socket helps with traffic spikes. The options are send-buffer-size and receive-buffer-size, they set their respective socket options for buffer space.

When an AXFR download is in progress, to a client, and the zone is updated at that same time, then NSD no longer resets the connection, but allows that transfer to complete.

The tcp-reject-overflow option can be used to close all connections that are incoming when the server is full on TCP connections, this stops those connections from waiting for a spot.

You can get source packages of this version from the downloads page.

Related links:

Hackathon @ Africa Internet Summit 2019

2019-07-04T13:40:00+02:00

The ISOC African regional bureau has been organizing hackathons at the last three editions of the Africa Internet Summit in the same spirit as those of the IETF (hack to support Open Standards development). These hackathons also have the additional purpose to involve the Africa region better and more in work done at the IETF.

I personally (Willem Toorop) love participating in those IETF hackathons. I really enjoy the combination of collaboration and the no-nonsense getting your hands dirty ambiance found thereat. I also love to tell, teach and preach about my passions (i.e. DNS, End-Entity privacy and security etc.), so I was just thrilled that I was given the opportunity by ISOC Africa to lead one of the hackathon tracks during the Africa Internet Summit (AIS) this year.

Read the full blog post:

Hackathon @ Africa Internet Summit 2019

Unbound 1.9.2 released

2019-06-17T11:00:00+02:00

We are pleased to announce the release of version 1.9.2 of the Unbound recursive DNS resolver.

This release contains a number of bug fixes for crashes introduced in 1.9, session ticket code, stream pipeline code, auth zone code and it also fixes qname minimisation packet scrub failures.

There is a new python module example. This is an example of a module that is loaded into unbound that changes DNS messages, and how Unbound processes them. The example resolves records in multicast DNS, with Avahi.

AXFR over TLS is supported. This uses TLS to connect to the master and download the AXFR or IXFR. Enable by loading certificates (just like for other DNS over TLS), and syntax like master: "ip#authname" in unbound.conf for the auth-zone where you want to use this.

For a full list of changes and binary and source packages, see the download page.

Related links:

DNSSEC Key Management Tools Research Project Awarded

2019-06-12T13:40:00+02:00

NLnet Labs has recently been awarded a grant from the European Commission's NGI0 PET funding to invest in improving how operators of high-stakes domains (such as top-level domains) manage their sensitive key material for DNSSEC signing. The outcome of the project, open source tools and processes for secure key management, will enable operators to strengthen the trust in DNSSEC. This is especially important with the increasing use of DNSSEC and DANE to secure, e.g., e-mail transport. The project will run from June 1st until the end of 2019.

Related links:

Research Projects at NLnet Labs

NSD 4.2.0 released

2019-06-11T14:20:00+02:00

Today, we released version 4.2.0 of the authoritative DNS name server NSD.

This release contains new features, contributed from Sinodun, that implement TCP fast open support and also support for service on DNS over TLS.

There is also TLS OCSP stapling support with the tls-service-ocsp option in nsd.conf.

The new option hide-identity can be used in nsd.conf to stop NSD from responding with the hostname for probe queries that elicit the chaos class response, this is conform RFC4892.

There is a bug fix for memory leaks during zone file read, with duplicate records in the zone file.

You can get source packages of this version from the downloads page.

Related links:

Routinator 0.4.0 ‘The Bumpy Road to Love’ released

2019-06-03T15:00:00+02:00

We are euphoric to announce the latest release of Routinator, version 0.4.0 ‘The Bumpy Road to Love.’

This release fundamentally changes the command line options for running the server and introduces a new way to initialize the local RPKI repository used by Routinator. If you have been using previous releases, you will likely have to adjust your tooling. We apologize for this, but we also feel that the new commands are more intuitive and logical.

Server Mode

The command for running the server (previously rtrd) is now called server. It will not detach from the terminal anymore unless explicitly instructed via the -d option.

When we added HTTP support, we intended it to be for monitoring only. But it turned out that using HTTP is very useful for integrating Routinator into existing work flows, so we now make HTTP a first class protocol. Since this means that users may want to use the server mode without RTR, Routinator will not listen on any ports by default any more. Instead, you will have to explicitly choose the protocols, addresses, and ports to listen on. The options for listening are now more intuitive, too: --rtr for RTR and --http for HTTP.

Initialization

Previously, Routinator automatically installed the TALs if the TAL directory wasn’t present and then stopped because of the missing ARIN TAL. This made it difficult to automatically install TALs in deployments.

This release replaces the automatic mechanism with a manual procedure that is invoked by the new init command.

In addition, we have received permission by ARIN to include their TAL. If you agree with the ARIN Relying Party Agreement, you can now instruct Routinator to install all TALs without having to download anything.

Filtering of VRPs

To make up for all these breaking changes, we added filtering of VRPs in output both via the vrps command and in the HTTP output. Command line options or HTTP query fields allow limiting the output to those VRPs that cover a set of address prefixes or are related to a set of ASNs.

As ever, you can read about all the changes in the complete release notes as well as the updated documentation. More information on the Routinator can be found on Github.

Related links:

NSD and Unbound repositories moving to GitHub on 1 May 2019

2019-04-19T09:00:00+02:00

We are excited to announce that on the 1st of May 2019, we will migrate the NSD and Unbound repositories to git and use GitHub for maintaining them. We are also going to use the GitHub infrastructure to manage tasks and community contributions, collect user feedback and allow you to report software bugs.

This means that on 1 May 2019, the following will happen for the NSD and Unbound projects:

Our SVN repositories will be made unavailable by replacing the contents of the SVN trunk with a single document pointing to GitHub
Bugzilla, our bug-tracking system, will be switched to read-only
We will accept contributions via a pull request on GitHub
Feature requests and bug reports should be submitted via GitHub issues

This change is part of an ongoing effort to unify the experience for our community. Over the next weeks and months, all projects that NLnet Labs manages will be migrated. We are convinced that GitHub offers the best platform to cater to the needs of both our community and our developers.

If you would like to get a head start, you can already start using GitHub for the NSD and Unbound projects today.

Related links:

"A First Look at QNAME Minimization" paper wins Best Dataset Award at PAM2019

2019-03-29T15:19:00+01:00

Three NLnet Lab rats - Ralph Dolmans, Roland van Rijswijk-Deij and Willem Toorop - worked together with Wouter de Vries (University of Twente), Moritz Müller (SIDN Labs) and Quirin Scheitle (TUM) on the paper A First Look at QNAME Minimization in the Domain Name System. The paper was awarded the "Best Dataset Award" at PAM2019.

Related links:

Routinator 0.3.2 ‘Bitter and Twisted’ released

2019-03-27T12:00:00+01:00

We are disheartened to announce yet another bugfix release of the Routinator, version 0.3.2 ‘Bitter and Twisted.‘

Routinator is an RPKI relying party software that collects and validates statements made in the Resource Public Key Infrastructure (RPKI) about allowed route origins and provides them to routers and curious researchers alike.

When we moved reading of the TALs to be done only at the start in the last release, we accidentally made all error messages related to them invisible. This resulted in Routinator quietly terminating if the TALs were broken.

Additionally, Github user matsm got stung by our RPSL output not being quite correct. Now IPv6 prefixes are properly provided via a route6: statement and all lines have Unix-style endings.

You can read about all the changes in this and previous releases in the complete Changelog. More information on the Routinator can be found on Github.

Related links:

NSD 4.1.27 released

2019-03-25T13:40:00+01:00

Today, we released version 4.1.27 of the authoritative DNS name server NSD.

This release contains improved deny-any responses, and on-the-fly changes for tsig keys via nsd-control. There is a number of bug fixes as well.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.9.1 released

2019-03-11T10:00:00+01:00

We are pleased to announce the release of version 1.9.1 of the Unbound recursive DNS resolver.

This release contains bug fixes for two issues in the out of order processing introduced in 1.9.0, one where the wrong answer was returned and a crash bug in file descriptor handling.

There are fixes for compile on Windows with pythonmod support. You need to compile the source for that with the option enabled. Start with, eg. compile on windows itself (with gcc or clang), or crosscompile with mingw64-configure as the start of the compile run and enable the pythonmod configure option.

There is also a fix for qname minimisation, that could have skipped a label-fetch-step when it should not have. This was caused by certain recursion situations and the subsequent qname minimisation continuation. Qname minimisation in Unbound is designed to sometimes add several labels at a time, instead of just adding one label at a time and performing lookups until the full qname is reached, because certain names are very long, especially in the IPv6 reverse space. Unbound performs short steps near the top, in root and TLDs, but then makes longer label add steps when the name is very long, near the left side of the qname. This is to keep the lookup latency short.

A new type of local-zone is added, inform_redirect, this acts like both type inform and type redirect are both used. The answer is logged and the content of the answer is like type redirect.

For 0x20 capsforid, a canonical sort is used to compare faulty replies. This removes some cases where the fallback could not figure out the reply is genuine in several retries.

To make ratelimiting easier, the ratelimit logs print the query name that triggered the ratelimit message. Not all query names are supposedly the same, but the query name of the query that made the ratelimit exceed is printed, and this gives (a single name of) insight into the nature of the traffic employed. Also the IP-address of the sender of the query that triggered the upstream ratelimit is printed. If a recursion exceeds ratelimit, it does not print the IP-address of the query ultimately responsible for the recursive lookup.

Unbound has ratelimiting for both the clients (the downstream side) and for traffic sent by unbound to the wider internet (the upstream side). The ip-ratelimit options limit traffic in packets per client IP. The ratelimit options limit traffic towards a domain name. The new logging prints extra information with the log messages for both of them, so that an inkling of information on some of that traffic is visible straight away.

For a full list of changes and binary and source packages, see the download page.

Related links:

Routinator 0.3.1 ‘More Intensity’ released

2019-03-06T15:00:00+01:00

We are enthused to announce the latest release of the Routinator, version 0.3.1 ‘More Intensity.‘

This release ties up some loose ends before some big improvements planned for the next version. Most importantly, we added a timeout to rsync runs after a hanging rsync got the entire Routinator RTR daemon stuck. Trust anchor locators are now only read once when Routinator starts. While this will make Routinator more robust against accidental file system changes, you will need now need to restart it if you changed the TALs on purpose.

We fixed a bug where a missing tcp-listen option in the config file would make Routinator crash in rtrd mode – it will now use the default listen address 127.0.0.1:3323 as expected.

Finally, we added some more details to the Prometheus metrics introduced in the last version. These are now given per trust anchor and include not only the number of VRPs but also of ROAs.

You can read about all the changes in this release in the complete Changelog. You can find more information on the Routinator on Github.

Related links:

Routinator 0.3.0 ’It’s More Fun at the Zoo’ released

2019-02-14T16:00:00+01:00

We are elated to announce the latest release of the Routinator, version 0.3.0 ’It’s More Fun at the Zoo’.

This release implements RFC 8360 which proposes an alternative mode for dealing with overclaimed resources in certificates. It promises to make it easier to deal with resources being transfered away from a holder.

We have also added an HTTP service to rtrd mode. It is intended primarily for monitoring – it already supports the metrics endpoint for Prometheus –, but it also allows you to fetch the list of VRPs via your browser. We will add more extensive monitoring metrics in future releases.

Finally, we fixed a bug where some serial numbers in RTR were all wrong.

You can read about all the changes in this release in the complete Changelog. You can find more information on the Routinator on Github.

Related links:

Unbound 1.9.0 released

2019-02-05T10:00:00+01:00

We are pleased to announce the release of version 1.9.0 of the Unbound recursive DNS resolver.

This release contains the DNS Flag Day changes for Unbound. See the reference here, https://dnsflagday.net/ . Or this presentation: EDNS Flag Day - OARC29.pdf . The EDNS timeouts are not used to fallback to nonEDNS queries.

Out of order processing is implemented, for TCP and TLS. It can be configured with a maximum amount of memory to use to store pending answers, and the current memory usage is in the statistics output. This is with stream-wait-size in unbound.conf and mem.streamwait in unbound-control stats output. Streams that cause the total memory counted to exceed the maximum are dropped, but it is possible to get a number of responses with little memory used.

There is also TLS session resumption support, that can be enabled with the tls-session-ticket-keys option. Together with the already existing TCP fast open, enabled with --enable-tfo-server --enable-tfo-client, that enables zero RTT stream reconnections to the server. Make sure to also increase incoming-num-tcp if you expect a lot of TCP and TLS users.

Options are added to set the TLS ciphers and TLS ciphersuites from unbound.conf. This can be done with the tls-chiphers and tls-ciphersuites options.

TLS can be used from libunbound, with the ub_ctx_set_tls config call, use that together with ub_ctx_set_fwd to select DNS over TLS transport.

For a full list of changes and binary and source packages, see the download page.

Related links:

Mozilla Open Source Support programme awards grant for the Routinator

2019-01-07T10:00:00+01:00

We are incredibly excited to announce that the Mozilla Open Source Support (MOSS) programme has awarded a grant for the development of the Routinator, NLnet Labs’ RPKI Relying Party software that helps make Internet routing more secure.

The MOSS awards programme supports open source projects that contribute to Mozilla’s work and the health of the Internet. Specifically for the MOSS Mission Partners track, Mozilla looks for projects that are closely aligned with its own mission.

We are also very grateful to the Amsterdam Internet Exchange (AMS-IX), who endorsed us during the application process. AMS-IX was one of the world’s first Internet Exchanges to offer RPKI-based filtering on their route server platform.

With the MOSS award, we will be able to develop the Routinator into a lean, stable and feature-rich RPKI relying party package. Over the course of 2019, we will be providing packages for major Operating Systems, integration with alerting and monitoring services, configuration management, a web-based user interface, a RESTful API and much more.

We also want to take this opportunity to thank Mozilla for their pivotal role in supporting the Rust programming language. The RPKI toolset, which includes the Routinator, is the first major project that we are building exclusively in Rust. At its core Rust is a systems language that combines C level performance with modern high level elements, such as a strong type system, error handling, and concurrency. Besides all this the Rust build system and dependency management system are superb.

Mozilla is the fourth organisation to join in funding the development of our RPKI toolset. This kind of community support is incredibly valuable to a non-profit foundation like ours. It enables us to commit long term resources to the project and build it to the standards that you have come to expect from NLnet Labs.

Related links:

Routinator 0.2.1 ‘Rated R’ released

2019-01-04T12:00:00+01:00

We are stoked to announce the first release of Routinator in 2019, version 0.2.1 ‘Rated R.’

This release primarily fixes two bugs introduced with the configuration file support in 0.2.0. For one, Routinator failed to build on 32-bit systems. Secondly, the code and documentation disagreed on the name of the default configuration file. After checking back with users, we settled on $HOME/.routinator.conf.

However, since that didn’t seem enough to warrant a release in itself, we decided to try and make Routinator work on Windows as a bonus. Because of Rust’s built-in support for Windows, this turned out easier than expected. You still need to get rsync, though, in particular the one coming with Cygwin.

You can read about all the changes in this release in the complete Changelog. You can find more information on the Routinator on Github.

Related links:

Dutch National Cyber Security Centre joins in funding NLnet Labs' RPKI toolset development

2018-12-18T09:00:00+01:00

The National Cyber Security Centre (NCSC) of the Netherlands has pledged to participate in funding the development of the RPKI toolset by NLnet Labs.

The NCSC is the central information hub and centre of expertise for cyber security in the Netherlands. The NCSC's mission is to contribute to enhancing the resilience of Dutch society in the digital domain, and thus to create a secure, open and stable information society.

We are proud that the NCSC is supporting our efforts to make Internet routing more resilient and secure. The mitigation of Border Gateway Protocol (BGP) hijacking is paramount to ensuring the availability of networks, as well as preventing data redirection and interception.

The NCSC is the third organisation to invest in this project, following Brazilian registry NIC.br and the RIPE NCC Community Projects Fund. With their support, we are able to invest the resources needed to develop, test and release a high quality toolset, comparable to our other projects such as NSD and Unbound.

With community support like this, our non-profit foundation is able to continue and strengthen its long-term mission to invest in research and development, Internet architecture and governance, as well as stability and security in the area of DNS and inter-domain routing.

Related links:

Routinator 0.2.0 ‘Instant Gezellig’ released

2018-12-12T15:00:00+01:00

We are exhilarated to announce the latest release of the Routinator, version 0.2.0 ‘Instant Gezellig.’

This release both cleans up the initial release and prepares for new features to come. Most importantly, we decided to change command line handling and switched to the ever popular model of requesting actions via sub-commands. You can now request a list of the validated ROA payload (aka VRP) via the vrps command and start the RTR server via rtrd.

Instead of repeating options over and over again, you can now put them into a config file. You can either explicitly pick a file via the -c option or keep .routinator.conf in your home directory. The config file can contain all global options and the additional options for the RTR server. It is a TOML file. A complete example is available in the source repository.

Another change is that we adjusted the output formats for the vrps command to be even closer to those used by the RIPE NCC Validator by adding trust anchor information. On top of that, Job Snijders contributed a new output that makes it easier to use Routinator with OpenBGPD.

Finally, deployment is now ever so much easier thanks to the Dockerfile contributed by David Monosov. If you are using Docker, you can now get Routinator from the Docker Hub simply by:

docker pull nlnetlabs/routinator

If you have Routinator installed from cargo.io, you can upgrade to the latest release via:

cargo install --force routinator

You can read about all the changes in this release in the complete Changelog. You can find more information on the Routinator on Github.

Related links:

Unbound 1.8.3 released

2018-12-11T11:42:00+01:00

We are pleased to announce the release of version 1.8.3 of the Unbound recursive DNS resolver.

This release fixes crash bug introduced in 1.8.2 in the dns64 processing.

For a full list of changes and binary and source packages, see the download page.

Related links:

OpenINTEL wins Research Data NL Prize

2018-12-04T15:19:00+01:00

The OpenINTEL project that NLnet Labs recently joined has been awarded the Research Data NL Prize. OpenINTEL received the prize for making groundbreaking data on the long-term development of the DNS available for research.

Related links:

Blogpost: The Ongoing Story of OpenINTEL

Unbound 1.8.2 released

2018-12-04T13:56:00+01:00

We are pleased to announce the release of version 1.8.2 of the Unbound recursive DNS resolver.

The option so-reuseport is by default disabled on FreeBSD, but it has support to work on FreeBSD 12 with the REUSEPORT_LB variant, if enabled in unbound.conf.

The python code in unbound supports python 3.6, but also python 2.7 works. The python module prints the python exceptions to the log, so that compatibility problems are more easy to troubleshoot.

Fast server selection options are added that select from the fastest servers in the available set, with fast-server-num and fast-server-permil this can be turned on. When enabled the fastest servers are selected, instead of a random server. Randomness is good for poisoning prevention, but fast selection can result in faster roundtrips.

The nameserver records in large returned negative responses are scrubbed out of the packet to avoid fragmentation based DNS cache poisoning, from a report from T.Suzuki.

The automated test set now has static code analysis of the source code, this is performed with the clang analyzer.

There is a new option to deny ANY packets, with deny-any: yes in unbound.conf. The option unknown-server-time-limit can be used for cases behind a slow uplink to avoid multiple timeouts on every query to attain the necessary long timeout length for that uplink.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.1.26 released

2018-12-04T11:40:00+01:00

Today, we released version 4.1.26 of the authoritative DNS name server NSD.

This version has DNSTAP support (http://dnstap.info). Use --enable-dnstap for ./configure to turn it on, then in nsd.conf enable the dnstap feature with dnstap-enable: yes and set one or more of dnstap-log-..-messages to yes. And set the dnstap socket path in the config.

The reuseport: yes config option in nsd.conf on FreeBSD 12 can use the SO_REUSEPORT_LB option that performs performance load balancing.

The changezone command for nsd-control allows to change the pattern associated with a zone without downtime for the zone, in one operation. It is otherwise just like a delete and an add for that zone.

Include files from the config file are sorted before inclusion, giving a stable list of included text.

You can get source packages of this version from the downloads page.

Related links:

Introducing a new logo family for our DNS projects

2018-11-20T13:50:00+01:00

Who knew branding could be this much fun? As a small, open source organisation we mostly spend our time on writing code. But several months ago, we wanted to see if we could replace the generic icons we were using for our projects with some fresh and shiny logos. It felt like a fitting cherry on the proverbial cake after launching our new website.

As fate would have it, a simple tweet from our offices in Amsterdam resulted in a recommendation all the way from New Zealand to get in touch with a designer in Rotterdam.

Now, after collaborating with Richard de Ruijter for several months, we are absolutely thrilled to introduce a new logo family for our DNS projects.

We hope you like them as much as we do! We'll be working on updating the website with the new designs over the next few days.

We're already looking forward to working with Richard again to design some awesome logos for our upcoming projects, as well as some other fun things for the community to look forward to. So make sure you look us up at the next conference!

Related links:

NLnet Labs joins OpenINTEL

2018-11-12T12:00:00+01:00

We're proud to join the OpenINTEL measurement platform.

The goal of OpenINTEL is to capture daily snapshots of the state of large parts of the global Domain Name System. Because the DNS plays a key role in almost all Internet services, recording this information allows OpenINTEL to track changes on the Internet, and thus its evolution, over longer periods of time. By performing active measurements, rather than passively collecting DNS data, the platform builds consistent and reliable time series of the state of the DNS.

OpenINTEL makes extensive use of the tools provided by NLnet Labs, such as the Unbound recursive caching resolver and the LDNS DNS library.

Related links:

OpenINTEL website

Routinator 0.1.1 ‘Five-second Rule’ release

2018-11-05T16:00:00+01:00

We are slightly embarrassed to announce the first bugfix release of the Routinator: version 0.1.1 ‘Five-second Rule.’

Routinator is an RPKI relying party software that collects and validates statements made in the Resource Public Key Infrastructure (RPKI) about allowed route origins and provides them to routers.

This release fixes a bug in the RTR server used by routers to acquire their set of valid route origins. There are two versions of this protocol. While Routinator supports both versions, we overlooked that the message that ends a set of origins (the End of Data PDU) is different in the two versions. We thus responded with the wrong message in version 0, leading to at least Juniper routers rightfully dropping the RTR session.

Many thanks to everyone getting back to us reporting the issue. We very much appreciate your interest in Routinator! Since there was quite a few reports, we decided to quickly release this bugfix version.

If you have installed Routinator directly from crates.io, you can update through:

cargo install --force routinator

You can find more information on the Routinator, including how to get and run your own copy, on Github.

Related links:

Routinator 0.1.0 ‘Godspeed!’ released

2018-11-01T13:00:00+01:00

We are extremely delighted to announce the very first release of the Routinator, version 0.1.0 ‘Godspeed!’

In the modern Internet, routing security is becoming increasingly important. Resource Public Key Infrastructure (RPKI) is a powerful component in preventing BGP hijacking. The system allows network operators to create cryptographically validatable statements about their BGP routing intent. Routinator collects these statements, validates them, and makes them available to routers to use in the BGP decision making process.

The initial release implements the basic set of functionality: fetching and validating RPKI data and exposing route origin attestations both as output and to routers via the RPKI-RTR protocol.

This release is the first step in NLnet Labs’ ongoing effort to provide open source software covering the entire RPKI spectrum.

You can find more information on the Routinator, including how to get and run your own copy, on Github.

Related links:

Unbound 1.8.1 released

2018-10-08T13:20:00+02:00

We are pleased to announce the release of version 1.8.1 of the Unbound recursive DNS resolver.

This release of Unbound contains a number of bug fixes. A memory leak in the TLS lookup code is fixed. Leaked requests in the requestlist are fixed. Lookup failure due to qname minimisation and a lack of IPv6 with connectivity issues is fixed.

TLS upstream servers are signalled with SNI with the name that is configured. This allows hosting servers by name on the destination.

Also Unbound is fixed from calling disallowed routines, by using EVP code, for FIPS OpenSSL.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.1.25 released

2018-09-25T00:00:00+02:00

Today, we released version 4.1.25 of the authoritative DNS name server NSD.

This release contains mostly just bug fixes. The NSEC3 fixup helps certain NSEC3 failures, and there is a fix for systemd integration.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.8.0 released

2018-09-10T14:20:00+02:00

We are pleased to announce the release of version 1.8.0 of the Unbound recursive DNS resolver.

This release has a number of bug fixes, a list of features added and some defaults changed.

The defaults that are changed enable options that have been introduced in the past with an option that defaulted to off, but have proven to work, improve speed and resilience and we would now recommend to enable when configuring the server. Still the option exists if you want to manually specify the feature.

New features include options for unbound-control: auth_zone_reload, auth_zone_transfer. New counters in the statistics output: num.queries.tls, num.query.subnet, num.query.subnet_cache. New options in unbound.conf: dns64-ignore-aaaa, tcp-idle-timeout, edns-tcp-keepalive, edns-tcp-keepalive-timeout, tcp-connection-limit, stub-no-cache, forward-no-cache, log-servfail, log-local-actions, serve-expired-ttl, serve-expired-ttl-reset. Commandline options -R (use direct queries) for unbound-anchor, -d (delay) for streamtcp. There is support for RR type SMIMEA. There is support for EDNS option EDNS KeepAlive.

The libunbound library has gone up an api version increment because one of the callback signatures has changed. New information is available to the callback, existing usage of the function could conceivable get an upgrade by ignoring the extra function call parameter. For python scripts, a similar situation, where new information has been made available to the callback functions, in the form of extra function call parameters. This information is also available to module callbacks internally. For python the extra arguments functionality is used to extend the arguments. The extra information is connection information, exposing the client's IP address to the callback function and whether the query failed because of rate limiting.

There are a number of bug fixes for Qname minimisation, and a number of fixes for auth-zone functionality. And there has been a fix in the processing of dns64 negative cache entries and a fix about fallthrough in the view local-zone processing functionality.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.1.24 released

2018-08-13T00:00:00+02:00

Today, we released version 4.1.24 of the authoritative DNS name server NSD.

This version has a fix for a bug in resigning zones with different NSEC3 salt, where NSD would not pick up the NSEC3PARAM record, and serve answers that omit NSEC3 records. NSD is now lenient and when NSEC3PARAMs exist that point to nonworking NSEC3 chains, NSD attempts to find an alternative NSEC3PARAM with NSEC3 records.

It is possible to use nsd-control over a command pipe, without using TLS, by setting the name of the control socket file. Access permissions on that file then act as the access control. No TLS is used, because it is not network traffic, and this is likely faster.

Also systemd support is added for readiness signalling. Enabled with use-systemd: yes.

You can get source packages of this version from the downloads page.

Related links:

Introducing Routinator, a new RPKI Validator

2018-08-06T12:30:00+02:00

NLnet Labs has committed to building a full open source RPKI toolset to help make BGP routing more secure. This work consists of three projects. We will offer a Certificate Authority (CA) package, allowing network operators to run RPKI on their own systems instead of using the hosted platforms offered by the five Regional Internet Registries. In addition, we will build a Publication Server, to let operators or a third party publish the certificates and ROAs generated by the CA. Lastly, the toolset includes Relying Party software allowing operators download the global RPKI data set, validate it and use the result in their BGP decision making process.

To kick off this project, we are proud to announce that we have just released experimental Relying Party software called Routinator, written in the Rust programming language. Our mission is to offer a set of software packages that is on par with our other projects such as NSD and Unbound, in terms of quality, feature set and update frequency.

Note: if you love this stuff, we’re hiring!

Related links:

NSD 4.1.23 released

2018-07-30T00:00:00+02:00

Today, we released version 4.1.23 of the authoritative DNS name server NSD.

NSD versions 4.1.22 and before are vulnerable in comparing TSIG information and this can be used to discover a TSIG secret.

NSD uses TSIG to protect zone transfers. The TSIG code uses a secret key to protect the data. The secret key is shared with both sides of the zone transfer connection. The comparison code in NSD was not time insensitive, causing the potential for an attacker to use timing information to discover data about the key contents.

NSD versions from 2.2.0 to 4.1.22 are vulnerable. Upgrade to 4.1.23 or newer to get the fix.

It was reported by Ondrej Sury (ISC).

You can get source packages of this version from the downloads page.

Related links:

DNSSEC trigger 0.17

2018-06-25T11:10:00+02:00

This release of version 0.17 fixes an infinite loop in dnssec-trigger introduced with fixes on the patch on the 0.16 release.

Related links:

DNSSEC trigger 0.16

2018-06-21T14:00:00+02:00

This release has a fix for the reports about .uk.uk. The patchset from Martin Sehnoutka is integrated, it moves functionality from the linux network change script into the dnssec-trigger process.

Related links:

Unbound 1.7.3 released

2018-06-21T10:10:00+02:00

We are pleased to announce the release of version 1.7.3 of the Unbound recursive DNS resolver.

This release fixes a bug in qname minimisation, from 1.7.1, that double counts CNAMEs and this causes resolution failures because the maximum CNAME count is hit. This caught attention because since 1.7.2 qname minimisation is enabled by default.

For a local name unix pipe unbound-control setup, with the pathname of the socket configured in control-interface, Unbound now uses an unencrypted connection. Permissions can be configured by setting them on the directory the file is in, unbound creates the file with permissions that allow members of the group of the user that is configured unbound.conf access. This fix is also part of NSD nsd-control.

For a full list of changes and binary and source packages, see the download page.

Related links:

Unbound 1.7.2 released

2018-06-11T11:40:00+02:00

We are pleased to announce the release of version 1.7.2 of the Unbound recursive DNS resolver. There are a number of bug fixes, but also some features.

This release fixes bugs in DNS-over-TLS for windows, and adds the option for Windows users to use the CA certificates from the Windows cert stores. This can be set with the tls-win-cert: yes option in unbound.conf.

The code has been updated with a speed up that improves performance for large numbers of incoming TCP and TLS connections. In addition, QNAME minimisation is now enabled by default. Lastly, there is an option to allow to ignore an unset RD bit for access control subnets and always allow recursion to the request.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.1.22 released

2018-06-11T00:00:00+02:00

Today, we released version 4.1.22 of the authoritative DNS name server NSD.

This release fixes a bug where zone transfers would not succeed, because of an error in the selective NSEC3 allocation (introduced in 4.1.18).

The refuse ANY query feature now sends truncated answers over UDP and allows TCP queries. This is the same size response on UDP as the refusal but allows the query to succeed over TCP for genuine queriers that fallback to that transport mechanism.

The release contains a speed up for TCP processing that should NSD better at handling large numbers of incoming TCP connections.

You can get source packages of this version from the downloads page.

Related links:

Putting an End to Workarounds for Broken Software

2018-06-07T00:00:00+02:00

The specification of the DNS protocol and its extensions in the IETF, the implementation of the protocol standards and its compliance, and the interoperability between DNS name server implementations give rise of complex interdependencies. For one, the IETF standards sometimes allow room for different interpretations resulting in slightly varying behavior in the implementation of the DNS standards. And sometimes there are different operational realities to be addressed, resulting in different decisions. But for all, the open-source DNS software developers address interoperability between their implementations, and make sure that the users of the DNS software can rely on the correct behaviour of the individual DNS name servers (authoritative and recursive).

Unfortunately, a substantial amount of effort and code is spent to cope with broken DNS software implementations. With broken DNS software, we mean software that does not comply with the standards in any interpretation and just fails to behave properly. The net effect is that the open-source DNS software developers have to deal with the errors and ignorance of the broken DNS implementations. Put differently: we have to pay a price in time and code complexity for the errors of other parties that don't bother to resolve their incorrect implementation.

EDNS Extension Support

To signal the start of a joint effort to reduce the code necessary to implement workarounds in their DNS software, a group of open-source DNS software developers will discontinue a support for dealing with broken EDNS support.

From February 1st, 2019 new releases of DNS software from CZ.NIC, ISC, NLnet Labs, and PowerDNS will drop support and code for the workaround of non-compliance problems with EDNS standard as specified in RFC 6891.

EDNS is a mechanism to include optional information in DNS messages. It is not mandatory to implement. The DNS standards provides implementations with a way to signal their lack of EDNS support. However, some implementations choose to react in non-standard ways when provided with EDNS messages, requiring workarounds for interoperation. We have deliberately selected to remove these workarounds to send a clear signal instead of causing a major disruption.

Related links:

NSD 4.1.21 released

2018-05-14T00:00:00+02:00

Today, we released version 4.1.21 of the authoritative DNS name server NSD.

This release introduces query type ANY refusal. NSD already has RRL support that by default throttles queries, and also queries of type ANY. But an nsd.conf option has been added, this makes NSD refuse queries of type ANY.

The tcp-count can be higher. For more tcp service, use something like tcp-count: 10000 or so. The fix is that tcp connections use (much) less memory now, than in previous versions.

The memclean option is for memory checkers and code analyzers, without the option, NSD lets the system remove memory pages with unused resources on exit of a process, which is much faster.

You can get source packages of this version from the downloads page.

Related links:

Unbound 1.7.1 released

2018-05-03T11:20:00+02:00

We are pleased to announce the release of version 1.7.1 of the Unbound recursive DNS resolver. There are a number of bug fixes, but also some features.

This release has root key sentinel support, default on, from draft draft-ietf-dnsop-kskroll-sentinel. The root key sentinel helps the root key rollover process by providing insight into the distribution of the key material over the resolver population. For that, the resolver gives responses indicating which keys are in use by the resolver.

Crypto support for ED448 has been added. ED25519 was already supported in a previous release. The crypto algorithm code is default turned on if support is detected at configure time. The openssl 1.1.1 beta versions have ED448, and also ED25519 support.

For DNS over TLS, the tcp length is sent in the same packet as the tcp content, for the TLS connections, providing a speed up. Also TLS authentication can be enabled by specifying the TLS auth name in unbound.conf. An example config for large public cloud dns over tls resolvers is this:

server:
  tls-cert-bundle: "ca-bundle.pem"
forward-zone:
  name: "."
  forward-addr: "9.9.9.9#dns.quad9.net"
  forward-addr: "1.1.1.1#cloudflare-dns.com"
  forward-tls-upstream: yes

It is possible to have unbound as a TLS server serve TLS on different ports, with additional-tls-port. Use this to set up dns over tls service on both ports 853 and 443.

For fast server selection, there are new options low-rtt and low-rtt-pct. For example set low-rtt-pct: 900 to enable it. These options are experimental at this time. We are interested in user experiences, and are intending to look at the expressiveness that is desired for ease of use and applicability. Also, the pct part of low-rtt-pct is technically the wrong term and we intend to replace it with promille (likely in a future release, together with user experience feedback changes).

There is hiredis support for the cachedb module.

Monitoring of the new agrressive NSEC and auth zone root local copy features is possible with statistics counters for agressive NSEC and for auth zone usage. Auth zone supports incoming NOTIFYs, from masters and from allow-notify hosts. Auth zones can be listed from unbound-control with their SOA serial number.

Unbound-control set_option and get_option needed different ':' placement, the current release allows with and without ':' syntax.

For a full list of changes and binary and source packages, see the download page.

Related links:

Benno Overeinder appointed DNSOP co-chair

2018-04-12T00:00:00+02:00

In the IETF, the DNS Operations (DNSOP) Working Group serves as the shepherd of the DNS protocols. It develops guidelines for the operation of DNS software and services as well as the operation of DNS zones. In addition, it has become the starting point for proposed extensions and improvements to the DNS protocol itself.

At IETF 101 in London the two current chairs of the DNSOP Working Group, Suzanne Woolf and Tim Wicinski, expressed their desire to have a third chair to help deal with the increasing workload and ongoing proposals.

IETF Area Director Warren Kumari announced today that Benno Overeinder was appointed DNSOP co-chair.

Related links:

New website launch

2018-04-04T00:00:00+02:00

We are proud to launch a brand new website for NLnet Labs, with a sleek new logo and fresh content.

Our new home offers a comprehensive overview of the projects we maintain, as well as the research, community and standards work we do. The previous website was getting a bit long in the tooth and hard to maintain. That's why we decided to redo everything from scratch and integrate separately maintained domains such as unbound.net. Our goal was to make our projects easy to find and our services easier to understand. We hope you like it.

Instead of using the m4 macro processor to build the site, we're now running it using the Pelican Static Site Generator, allowing us to compose pages in reStructuredText and maintain them using GitLab. In a few days we'll write a blog post on our adventures getting there and our experiences along the way.

If you miss something from the old website or you have suggestions for improvements, please do not hesitate to contact us via [email protected]">email or Twitter.

Related links:

Blog post: Building a new home for NLnet Labs

Unbound 1.7.0 released

2018-03-15T00:00:00+01:00

We are pleased to announce the release of version 1.7.0 of the Unbound recursive DNS resolver. Apart from numerous big fixes, this version introduces some important new features.

Authority zones is an option that makes it possible to transfer an authoritative zone to Unbound. These transfers can happen using either HTTP/HTTPS or using the traditional DNS transfer mechanisms (AXFR and IXFR). The authority zones option can be used to load a copy of the root zone as described in RFC 7706. Having the root zone loaded in a resolver can potentially decrease the round-trip times. Not having to contact the root servers also enhances privacy.

Also new in Unbound 1.7.0 is the aggressive use of the DNSSEC-validated cache, as described in RFC 8198. This feature allows Unbound to use cached NSEC records to generate negative answers within a range and positive answers from wildcards. This increases performance, decreases latency and resource utilization on both authoritative and recursive servers, and increases privacy.

Finally, we introduced the dnscrypt-provider-cert-rotated option, kindly contributed by Manu Bretelle. It allows handling multiple cert/key pairs while only distributing some of them. In order to reliably match a client magic with a given key without strong assumption as to how those were generated, we need both key and cert. Likewise, in order to know which ES version should be used. On the other hand, when rotating a cert, it can be desirable to only serve the new cert but still be able to handle clients that are still using the old certs's public key. The dnscrypt-provider-cert-rotated allows to instruct Unbound to not publish the cert as part of the DNS's provider_name's TXT answer.

For a full list of changes and binary and source packages, see the download page.

Related links:

NSD 4.1.20 released

2018-02-20T00:00:00+01:00

Today, we released version 4.1.20 of the authoritative DNS name server NSD.

This version is a bug fix release intended to close two memory leaks. One leak may occur when reading the data of unknown record types from zone files, while the other may happen when rehashing NSEC3 after a zone is transfered or read from a zone file.

You can get source packages of this version from the downloads page.

Related links:

Net::DNS 1.15 released

2018-02-09T00:00:00+01:00

This release has no bugs resolved nor any new features. Besides some minor code maintenance, this release only adds a Change notice to formalize the retirement of the GOST R 34.11-94 hash algorithm. However, the GOST algorithm will still work when a functional Digest::GOST module is present.

Related links:

The peculiar case of NSEC processing using expanded wildcard records

2018-01-30T00:00:00+01:00

We discovered a vulnerability in the processing of wildcard synthesized NSEC records. The result was Unbound, Google public DNS, PowerDNS and Dnsmasq contained a flaw that made it possible to downgrade secure connections. While synthesis of NSEC records is allowed by RFC 4592, these synthesized owner names should not be used in the NSEC processing. This does, however, happen in Unbound 1.6.7 and earlier versions.

Ralph Dolmans wrote a blog post about the discovery and findings.

Related links:

Bringing DNS Security and Privacy to the End User

2018-01-24T00:00:00+01:00

How the getdns API project helps to achieve the goal of DNSSEC validation and DANE authentication at the end-points.

Related links:

Blog post

Unbound 1.6.8 released

2018-01-19T00:00:00+01:00

Unbound 1.6.8 fixes CVE-2017-15105: vulnerability in the processing of wildcard synthesized NSEC records.

Related links:

NSD 4.1.19 released

2017-12-11T00:00:00+01:00

This release fixes IPv6 for the notify sending feature from 4.1.18.

Related links:

DNSSEC trigger 0.15

2017-12-06T00:00:00+01:00

This release fixes failure to start on OSX and Windows.

Related links:

NSD 4.1.18 released

2017-11-30T00:00:00+01:00

This release has features for saving memory and faster notification.With --enable-packed, 33% memory savings could be had, or somethingalong that size. Notification of secondary servers happens in parallel,and has faster timeouts. More sockets are used for zone transfers.This speeds up communication with a larger set of servers. Additionallya bug is fixed for dual-loaded parent-and-child zone configured at thesame time, when one of the zones has not loaded properly.

Related links:

Privacy: Using DNS-over-TLS with the new Quad9 DNS Service

2017-11-20T00:00:00+01:00

Hands-on install & configure of getdns and stubby to use DNS-over-TLS with Quad9 DNS service.

Related links:

Blog post

Net::DNS 1.13 released

2017-10-18T00:00:00+02:00

IDNA queries with Net::LibIDNS2

Related links:

DNSSEC trigger 0.14

2017-10-10T00:00:00+02:00

This release fixes install problems on OSX Sierra and High Sierra. The binary packages bundle the just-released unbound 1.6.7 that sends telemetry data about the root trust anchor.

Related links:

Unbound 1.6.7 released

2017-10-10T00:00:00+02:00

Unbound 1.6.7 sets the default for trust anchor signaling to yes. Thismakes a query with the key tags of the validation keys when the trustanchor DNSKEY is retrieved.

Related links:

Akkerhuis inductee Internet Hall of Fame

2017-09-19T00:00:00+02:00

Jaap Akkerhuis, NLnet Lab's senior research engineer and longtime contributor to the Internet technical community, is inducted into the Internet Hall of Fame. Follow the link below to read more on the background and contributions of Jaap's work in the past 40 year.

Related links:

Akkerhuis inductee IHoF2017

Unbound 1.6.6 released

2017-09-18T00:00:00+02:00

Unbound 1.6.6 blocks .test and .invalid by default. It has a -p optionto suppress pidfile creation (for startup script integration). And morestats and a shared secret cache for dnscrypt. And bug fixes.

Related links:

Sjoera Nas joined NLnet Labs board

2017-09-13T00:00:00+02:00

Sjoera Nas joined the board of NLnet Labs. She is an Internet and telecom privacy expert affiliated with Autoriteit Persoonsgegevens (Dutch DPA). We are delighted that she joined the board and will contribute with advice and guidance.

DNSSEC training at APTLD 72

2017-09-11T00:00:00+02:00

Berry van Halderen and Jaap Akkerhuis will give a two day DNSSEC course during the APTLD 72 meeting in Tbilisi (Sep 12-13). The course will cover DNS fundamentals, DNSSEC building blocks, policies and hands-on with OpenDNSSEC.

Related links:

APTLD 72 Agenda

Unbound 1.6.5 released

2017-08-21T00:00:00+02:00

Unbound 1.6.5 fixes RFC5011 Trust Anchor tracking for users that install between September 11 and October 11, 2017.

Related links:

Net::DNS 1.12 released

2017-08-18T00:00:00+02:00

Bugfixes and CDS and CDNSKEY printing according to erratum 5049 for RFC8078

Related links:

NSD 4.1.17 released

2017-07-21T00:00:00+02:00

This release has a fix that likely stops zone transfer failures and this release can parse the pre-errata and fixed errata format for deletes in CDS and CDNSKEY records.

Related links:

NLnet Labs Annual Report 2016

2017-06-30T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2016. In it we present an overview of Labs' various activities and describe their impact.

Related links:

Annual Report 2016 (PDF)

Unbound 1.6.4 released

2017-06-27T00:00:00+02:00

Unbound 1.6.4 contains key tag signaling RFC8145 support. B root is renumbered in the default root hints. The dnscrypt code supports the chacha cipher. The Unbound DNSSEC validator supports the ED25519 algorithm. The redirect-bogus patch in contrib can send validation failure users to a landing page.

Related links:

Net::DNS 1.11 released

2017-06-26T00:00:00+02:00

Maintenance work on IBM OS/390 support, ndots option in /etc/resolv.conf, workaround for hashpairs with cperl >= 5.27, zeroed waiting with bgbusy and EDNS size 512 queries

Related links:

Unbound 1.6.3 released

2017-06-13T00:00:00+02:00

Unbound 1.6.3 fixes an assertion failure when a malformed packet is received with 0x20 enabled.

Related links:

Net::DNS 1.10 released

2017-05-05T00:00:00+02:00

Bugfixes for Cygwin and MSWin32 environments. EBCDIC support updated. IBM OS/390 support

Related links:

NSD 4.1.16 released

2017-04-25T00:00:00+02:00

This release contains the minimal response nsd.conf option and bug fixes.

Related links:

Unbound 1.6.2 released

2017-04-24T00:00:00+02:00

Unbound 1.6.2 has a couple of new features and a list of bug fixes: trustanchor.unbound chaos query, response IP actions, stats from shm, --disable-sha1, dnscrypt support, and edns client subnet support merged in.

Related links:

getdns 1.1.0 released

2017-04-13T00:00:00+02:00

Functions for serving DNS. Stubby on board!

Related links:

Net::DNS 1.09 released

2017-03-24T00:00:00+01:00

Structured EDNS0 options

Related links:

Unbound 1.6.1 released

2017-02-21T00:00:00+01:00

Unbound 1.6.1 has the 2017 root trust anchor in unbound-anchor. The libunbound API has changed slightly, the callback typedef ends in _type. Source IP rate limiting, log-replies, and the release also has other new features and bug fixes.

Related links:

Net::DNS 1.08 released

2017-02-20T00:00:00+01:00

20th Anniversary, UPDATE and EDNS0 options handling for Net::DNS::Nameserver, better ineffective installs detection

Related links:

NSD 4.1.15 released

2017-02-16T00:00:00+01:00

This release contains bugfixes, in serial number parsing and nsec3 hash collision reporting.

Related links:

getdns 1.0.0 released

2017-01-17T00:00:00+01:00

First spec complete implementation of getdns

Related links:

Net::DNS 1.07 released

2016-12-29T00:00:00+01:00

Bugfixes and general maintenance work

Related links:

ldns 1.7.0 released

2016-12-20T00:00:00+01:00

Bugfixes and maintenance work, DANE verification delegated to OpenSSL functions, OpenSSL 1.1.0 support

Related links:

DNSSEC trigger 0.13

2016-12-15T00:00:00+01:00

Updated included binaries and installer for OSX.

Related links:

Unbound 1.6.0 released

2016-12-15T00:00:00+01:00

Unbound 1.6.0 has a number of features and bugfixes. More extensibleEDNS support. Views and local-zone tags provide for more feature rich filtering options, with CNAME support. SSL configuration features to turn on DNS over TLS for particular parts of the namespace. There were some bug fixes as well.

Related links:

NSD 4.1.14 released

2016-12-08T00:00:00+01:00

This version performs less zone transfer attempts, reducing load on the server. The xfrd state file has a new version number, to store theinformation. The new version of the file is written on exit of the daemon. And bug fixes.

Related links:

A Hybrid System for Automatic Exchanges of Routing Information

2016-12-02T00:00:00+01:00

The exchange of routing information for BGP configurations is a critical functionality that help autonomous systems communicate with each other in an efficient and robust way. In this work, we propose a hybrid system for automatic exchange of routing information. It addresses security and benefits from using a hybrid model for achieving policy routing information exchange in an efficient way.

Related links:

MSc. report (PDF)

DNS-Based Email Security -- DRAFT

2016-11-02T00:00:00+01:00

NLnet Labs contributed to the NIST SP 1800-6 DNS-Based Email Security report. Scenarios and practical instructions to use DNSSEC and DANE to secure email exchange (authentication and encryption of email and mail services).

Related links:

DNS-Based Secured Email

NSD 4.1.13 released

2016-09-27T00:00:00+02:00

Some features, such as multi master check option that does not upgrade from the first master that answers, but picks the best one. Additional section handling for type SRV. And bug fixes.

Related links:

Unbound 1.5.10 released

2016-09-27T00:00:00+02:00

In this release there is a fix for long downtime after connectivity loss, which was a longstanding unsolved issue. Features for tcp, TCPFast Open and timeout pressure to close connections when the tcp connections are getting full. Option to use ipv6 /64 for extra entropy. More bug fixes.

Related links:

NSD 4.1.12 released

2016-09-02T00:00:00+02:00

Fix malformed edns query assertion failure, reported by Michal Kepien (NASK).

Related links:

Net::DNS::SEC 1.03 released

2016-08-26T00:00:00+02:00

100% Code coverage in unit tests

Related links:

NSD 4.1.11 released

2016-08-09T00:00:00+02:00

Fix for unlimited AXFR vuln, for build without IPv6 and serve DS records for co-hosted parent zone, and other fixes.

Related links:

NLnet Labs Annual Report 2015

2016-06-30T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2015. In it we present an overview of Labs' various activities and describe their impact.

Related links:

Annual Report 2015 (PDF)

NSD 3.2.22 released

2016-06-14T00:00:00+02:00

Bug fixes accrued before end of support. Note that 3.2.x has end-of-support.

Related links:

NSD 4.1.10 released

2016-06-14T00:00:00+02:00

Transport preference for glue, DNAME occlusion, and other bug fixes.

Related links:

Unbound 1.5.9 released

2016-06-09T00:00:00+02:00

New IPv6 address for one of the root servers in the default root server configuration. And a number of bug fixes, for CD flags to forwarders, for 0x20 compatibility, for qname-minimisation with DNSSEC.

Related links:

Net::DNS 1.06 released

2016-05-27T00:00:00+02:00

Bugfixes and updated error reporting

Related links:

NSD 4.1.9 released

2016-03-15T00:00:00+01:00

Fix crash on upgrade to 4.1.8 in nsd.db read.

Related links:

NSD 3.2.21 released

2016-03-10T00:00:00+01:00

Fix segv in zone transfer. Note that 3.2.x has end-of-support.

Related links:

NSD 4.1.8 released

2016-03-10T00:00:00+01:00

Fix segv in zone transfer, nanosecond file timestamps and other fixes.

Related links:

Net::DNS 1.05 released

2016-03-07T00:00:00+01:00

Bugfixes + SMIMEA support

Related links:

Unbound 1.5.8 released

2016-03-02T00:00:00+01:00

Bug fixes, fix unbound-control-setup lines, fix GOST-hash failures, block .onion leakage.

Related links:

getdns 0.9 released

2015-12-31T00:00:00+01:00

Special New Year's Eve release of getdns. This release brings the implementation on par with the December 2015 version of the specification.

Related links:

NSD 3.2.20 released

2015-12-10T00:00:00+01:00

Formerr ratelimits, expired zones are fully fetched, other fixes. Note that 3.2.x has the end-of-support announced.

Related links:

NSD 4.1.7 released

2015-12-10T00:00:00+01:00

Fix TCP on Linux and other fixes.

Related links:

Unbound 1.5.7 released

2015-12-10T00:00:00+01:00

Fix a validation failure, newly added qname minimisation option, and other fixes.

Related links:

DNSSEC trigger 0.13 for OS X 10.11 released

2015-12-08T00:00:00+01:00

Update and correct install on Mac OS X 10.11 (El Capitan) systems.

Related links:

Net::DNS 1.04 released

2015-12-08T00:00:00+01:00

Emergency recovery and bugfix release

Related links:

CDAR Root Stability Study commissioned by ICANN

2015-12-03T00:00:00+01:00

NLnet Labs, SIDN and TNO have been commissioned by ICANN to examine the impact of the new gTLD programme on the root server system.

Related links:

Press release

Net::DNS 1.03 released

2015-11-06T00:00:00+01:00

Better TCP support and persistent sockets for bg(send|read|isready) functions

Related links:

NSD 4.1.6 released

2015-10-22T00:00:00+02:00

Fix segfault when configured with many interfaces, and fix EDNS bad version response.

Related links:

Unbound 1.5.6 released

2015-10-20T00:00:00+02:00

Fix occasional segfault in dns64 module and smaller fixes.

Related links:

Unbound 1.5.5 released

2015-10-06T00:00:00+02:00

Algorithm lenience, H root IP, fixes in RFC5011 code and other bug fixes.

Related links:

NSD 4.1.5 released

2015-09-21T00:00:00+02:00

Fixes flaw in 4.1.4 that served 127.0.0.1 by default instead of 0.0.0.0.

Related links:

Net::DNS 1.02 released

2015-09-16T00:00:00+02:00

Resolver bugfixes for handling ENTs in delegations

Related links:

Net::DNS::SEC 1.02 released

2015-09-16T00:00:00+02:00

Bugfix in unit test

Related links:

NSD 4.1.4 released

2015-09-09T00:00:00+02:00

Fix fetching expired zones with wrong serial management, fix short NSID responses, URI type.

Related links:

Net::DNS::SEC 1.01 released

2015-08-03T00:00:00+02:00

Crypto funcs for Net::DNS 1.01 DNSSEC RR's

Related links:

getdns 0.3.1 released

2015-07-18T00:00:00+02:00

Bugfixes, native stub DNSSEC validation, lists of transports

Related links:

Unbound 1.5.4 released

2015-07-09T00:00:00+02:00

negative cache options, algorithm lenience option, rate limits and bug fixes.

Related links:

Net::DNS 1.01 released

2015-07-06T00:00:00+02:00

First major release, DNSSEC RR's integrated

Related links:

NLnet Labs Annual Report 2014

2015-06-30T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2014. In it we present an overview of Labs' various activities and describe their impact.

Related links:

Annual Report 2014 (PDF)

NSD 4.1.3 released

2015-06-23T00:00:00+02:00

bug fixes, fix when remove child zone, tsig hash algorithms, add long list of zones more easily.

Related links:

NSD 3.2.19 released

2015-05-28T00:00:00+02:00

Bugfixes, tsig hashes, CDS, CDNSKEY, DNAME TTL. End-of-life has been announced for NSD 3 support.

Related links:

NSD 3 end of support May 20th, 2016

2015-05-20T00:00:00+02:00

With this notification, NLnet Labs makes known the end-of-support for NSD 3. Support for NSD 3 will be continued for one year (date May 20th, 2016).

Related links:

NSD 4.1.2 released

2015-04-14T00:00:00+02:00

log level 1 improvements, log notify serial, zone reader crash fixes, integer overflow bugfixes.

Related links:

getdns 0.1.7 released

2015-04-08T00:00:00+02:00

Bugfixes, internal rework and printing of JSON dicts

Related links:

Unbound 1.5.3 released

2015-03-10T00:00:00+01:00

Fix daemon exit after reload, and Solaris portability.

Related links:

BGP Route Leaks Analysis

2015-03-06T00:00:00+01:00

A route leak is a violation of the policies between the networks involved. In this project, we obtain routing information from differecent sources and make inferences to detect possible route leaks. These potential route leaks have been further investigated on their duration, the type of violation, and the type and origin of network that caused the leak-detection.

Related links:

MSc. report (PDF)

Net::DNS 0.83 released

2015-02-26T00:00:00+01:00

Bug fixes

Related links:

Unbound 1.5.2 released

2015-02-19T00:00:00+01:00

Fix validation failure, poison issue with harden-glue off, and add RPZ-style 'inform' local-zone, and control over unix pipes.

Related links:

Net::DNS::SEC 0.22 released

2015-02-11T00:00:00+01:00

RRSIG inception and exception in time values, ECDSA and Gost signature creation and verification, Version requirements detection for optional modules

Related links:

Akkerhuis selected for DNS Root Zone KSK design team

2015-02-05T00:00:00+01:00

Jaap Akkerhuis from NLnet Labs has been selected for the DNS Root Zone KSK rollover plan design team.

Related links:

ICANN Announcements

NSD 4.1.1 released

2015-02-03T00:00:00+01:00

zonestatistics, DNAME's CNAME TTL. Fixes for database growth, spinning, and other bugfixes.

Related links:

Net::DNS 0.82 released

2015-01-20T00:00:00+01:00

Single bug fix

Related links:

Unbound 1.5.1 released

2014-12-08T00:00:00+01:00

CVE-2014-8602 denial of service fixed. Crash fix, compile fix. AAAA-filter patch.

Related links:

Unbound 1.5.0 released

2014-11-18T00:00:00+01:00

DNS64, DNSTAP, better random numbers and ub_ctx_add_ta_autr(), num.query.tcpout=value, flush_negative, unblock-lan-zones conf and bug fixes

Related links:

ISC and NLnet Labs Joins Forces

2014-11-10T00:00:00+01:00

ISC and NLnet Labs have signed an agreement to make available a combined Advance Security Notification subscription on their software products.

Related links:

Press release

getdns 0.1.5 beta released

2014-10-31T00:00:00+01:00

Bugfixes and Hop-by-hop features for stub resolution

Related links:

Net::DNS 0.81 released

2014-10-29T00:00:00+01:00

Bug fixes

Related links:

Net::DNS::SEC 0.21 released

2014-10-24T00:00:00+02:00

Single bugfix: canonicalize RRSIG's Signer Name

Related links:

Net::DNS 0.80 released

2014-09-22T00:00:00+02:00

Single bugfix: Suppress "Too late to run INIT block ..." warnings

Related links:

NSD 4.1.0 released

2014-09-04T00:00:00+02:00

features for less memory use, faster read/write, wildcard includes. Bugfixes, fixes slowdown after a long time.

Related links:

getdns 0.1.4 beta released

2014-09-03T00:00:00+02:00

The fourth beta release of an open source implementation of the getdns API specification. This is an collaborative effort with Verisign and No Mountain Software.

Related links:

Wanted: software developer and senior developer/architect

2014-09-01T00:00:00+02:00

We are looking for a software developer and a senior developer/architect to design and implement Open Source Software used in the heart of the Internet.

Related links:

Employment

Net::DNS 0.79 released

2014-08-22T00:00:00+02:00

Bug fixes, Android OS support, OPENPGPKEY RR and a Net::DNS::Resolver::Recurse makeover

Related links:

Net::DNS::SEC 0.20 released

2014-08-15T00:00:00+02:00

Single bugfix: parsing of zero NSEC3 salt

Related links:

BGP Evolution Analysis

2014-07-31T00:00:00+02:00

The Internet has been growing rapidly for many years. A logical consequence of the growth trend is the increase in effort to discover reachability and routing information of all the networks. The project investigates the different components which together form the actual update message signal and tries to find a reason behind the growth factor.

Related links:

MSc. report (PDF)

NSD 3.2.18 released

2014-07-28T00:00:00+02:00

Bugfix release

Related links:

Net::DNS 0.78 released

2014-07-10T00:00:00+02:00

Primarily bug fixes and multiline printing of TXT rdata

Related links:

Measuring the Deployment of DNSSEC over the Internet

2014-07-02T00:00:00+02:00

The deployment of DNSSEC is measured with the RIPE Atlas infrastructure. The results provide new insight on the distribution of DNSSEC support among resolvers, and notably show that around 90% of resolvers are DNSSEC-aware, and about 30% validate answers.

Related links:

MSc. report (PDF)

Net::DNS 0.77 released

2014-06-13T00:00:00+02:00

Fixing recent regressions, introducing an iterator interface to axfr() and more robust and secure resolver configuration processing

Related links:

NLnet Labs Annual Report 2013

2014-05-27T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2013. In it we present an overview of Labs' various activities and describe their impact.

Related links:

Annual Report 2013 (PDF)

Net::DNS 0.76 released

2014-05-23T00:00:00+02:00

OrderedDict([('tt', ['/etc/resolv.conf', 'nameserver']), ('#text', 'This is an emergency release fixing the parsing bug that evaluated only the last line.')])

Related links:

Dnssec-Trigger 0.12 released

2014-05-22T00:00:00+02:00

experimental package that provides DNSSEC on personal computers. Bug fixes, ip address change in default config, software update.

Related links:

Net::DNS 0.75 released

2014-05-08T00:00:00+02:00

Besides bugfixes zone transfers can now be TSIG verified

Related links:

Net::DNS::SEC 0.18 released

2014-05-08T00:00:00+02:00

Bugfixes and exploit new Net::DNS architecture

Related links:

NSD 4.0.3 released

2014-03-14T00:00:00+01:00

Fix start-stop problems.

Related links:

NSD 4.0.2 released

2014-03-12T00:00:00+01:00

Fix memory leaks. Fix ipv6 by disable of recvmmsg. REFUSED for nonhosted zones.

Related links:

Unbound 1.4.22 released

2014-03-12T00:00:00+01:00

no libldns dependency, fix trustanchor full filesystem, fix lenience on validation of nxdomain empty nonterminals

Related links:

getdns 0.1.0 beta released

2014-02-26T00:00:00+01:00

The first beta release of an open source implementation of the getdns API specification. This is an collaborative effort with Verisign and No Mountain Software.

Related links:

Open Data Analysis to Retrieve Sensitive Information Regarding National-Centric Critical Infrastructures

2014-02-03T00:00:00+01:00

Open Data repositories store a variety of information from country governments and private sectors. A concern is that with publishing data, sensitive information can be obtained by visual analytic techniques. The report shows that it is possible to retrieve precise locations where critical infrastructures overlap.

Related links:

MSc. report (PDF …

NSD 3.2.17 released

2014-01-27T00:00:00+01:00

Bug fixes and CAA RRtype added.

Related links:

NSD 4.0.1 released

2014-01-27T00:00:00+01:00

Fix segfaults for type WKS, for NSEC3-IXFRs in a co-hosted parent and child zone situation. CAA, EUI48, EUI64 support. smaller fixes.

Related links:

Net::DNS 0.74 released

2014-01-16T00:00:00+01:00

Resolves a pressing bug with TSIG. Support for CAA, EUI48 and EUI64 RR types

Related links:

ldns 1.6.17 released

2014-01-10T00:00:00+01:00

Many bugfixes, All current (draft) RR types implemented, Better ldns-verify-zone performance and Perl5 bindings with the DNS::LDNS module.

Related links:

Securing the last mile of DNS with CGA-TSIG

2014-01-08T00:00:00+01:00

TSIG with shared keys is not scalable as a solution for the DNS last mile problem. CGA-TSIG extends TSIG with CGA so that shared secrets are no longer required. This research investigates the CGA-TSIG proposal by doing a security analysis and by making a PoC implementation in ldns.

Related links:

MSc. report (PDF)

DNSSEC Audit Framework

2013-12-30T00:00:00+01:00

In collaboration with SWITCH, the .CH and .LI registry, we have created a DNSSEC audit framework, that can be used to conduct a review of your or someone else's DNSSEC implementation.

Related links:

Net::DNS 0.73 released

2013-11-29T00:00:00+01:00

Bugfixes, TSIG validation and TSIG support for HMAC-SHA1 .. HMAC-SHA512

Related links:

NSD 4.0.0 released

2013-10-29T00:00:00+01:00

New major release with many features: dynamically reconfig to add and remove zones, more TCP support, many more zones loaded, faster speed.

Related links:

NLnet Labs Strategic Plan 2014

2013-10-09T00:00:00+02:00

This is the first time we post this type of plan publicly. With this plan we intend to communicate who we are and where we are going, it serves the NLnet Labs Board and Staff but also the parties that support our mission and want to contribute financially.

Related links:

Strategic Plan(PDF)

Unbound 1.4.21 released

2013-09-19T00:00:00+02:00

bugfixes, y2038k, add_insecure, more includes, max-udp

Related links:

Experiences with MPTCP in an International OpenFlow Network

2013-09-03T00:00:00+02:00

Keeping up with the network demand in order to transfer these data sets over the Internet is a challenge. Single links do not have enough capacity anymore. Therefore we need to install more interfaces in the servers and use all available paths in the network. In this paper we describe two new technologies that help to optimally use the capacity of all multiple paths simultaneously: OpenFlow and Multipath TCP (MPTCP).

Related links:

TNC2013 paper (PDF)

Discovery and Mapping of the Dutch National Critical IP Infrastructure

2013-08-12T00:00:00+02:00

The research project entails the mapping and subsequent analysis of the AS-level interconnections between the organisations active as the Dutch critical infrastructure. One of the conclusions is that the Dutch critical infrastructure organisations are well interconnected but rely a lot on foreign entities for IP transit and even for carrying potentially sensitive information via web and email services.

Related links:

MSc. report (PDF)

NSD 3.2.16 released

2013-07-22T00:00:00+02:00

EUI48 and EUI64 RR types, improvements to RRL, new config options.

Related links:

Identifying Patterns in DNS Traffic

2013-07-09T00:00:00+02:00

A visual analytics approach is used on a large set of DNS packet captures to gain insight into ways that authoritative name servers are abused for denial of service attacks. Several tools were developed to identify patterns in DNS queries and responses.

Related links:

MSc. report (PDF)

Wanted: Systems engineer

2013-06-17T00:00:00+02:00

We are looking for a Junior Systems Engineer to provide support, maintain systems and design and implement Open Source Software used in the heart of the Internet.

Related links:

Employment

NLnet Labs Annual Report 2012

2013-05-27T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2012. NLnet Labs is active in those areas where a long-breath can have a profound impact on the Internet societal value and 2012 was an interesting year in all areas on which NLnet Labs is active.

Related links:

Annual Report 2012 (PDF)

OpenDNSSEC 1.4.0 released

2013-04-22T00:00:00+02:00

Version 1.4.0 of OpenDNSSEC has now been released. It includes support for AXFR and IXFR, both input and output; HSM login; and more. Also the Auditor is deprecated.

Related links:

More information

Unbound 1.4.20 released

2013-03-21T00:00:00+01:00

bugfixes, TTL from libunbound

Related links:

Making do with what we've got: Using PMTUD for a higher DNS responsiveness

2013-02-28T00:00:00+01:00

Exploration of improving DNS with IPv6 by responding to ICMPv6 PTB messages

Related links:

OpenDNSSEC 1.3.13 released

2013-02-20T00:00:00+01:00

Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

Defending against DNS reflection amplification attacks

2013-02-18T00:00:00+01:00

Measurements and analysis of defense mechanisms against DNS reflection and amplification attacks.

Related links:

NSD 3.2.15 released

2013-02-04T00:00:00+01:00

RRL, ILNP RR types, improved TSIG initialization, bugfixes.

Related links:

Net::DNS 0.72 released

2012-12-28T00:00:00+01:00

Minor bugfix release which resolves issues with TSIG introduced in 0.69.

Related links:

RFC6781: DNSSEC Operational Practices, Version 2

2012-12-24T00:00:00+01:00

An updated set of practices for operating the DNS with security extensions (DNSSEC).

Related links:

RFC6781

Net::DNS 0.71 released

2012-12-15T00:00:00+01:00

Critical bugfixes. A temporary workaround to make sa-update tick again.

Related links:

Unbound 1.4.19 released

2012-12-12T00:00:00+01:00

bugfixes, RSAMD5 deprecated

Related links:

Net::DNS 0.70 released

2012-12-06T00:00:00+01:00

OrderedDict([('br', None), ('#text', 'Internationalized Domain Names support in owner names and rdata fields.n Everything new in 0.69 + RFC6742 support')])

Related links:

OpenDNSSEC 1.3.12 released

2012-12-03T00:00:00+01:00

Bugfix release. For downloads and more information about future releaseplans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

Net::DNS::SEC 0.17 released

2012-11-29T00:00:00+01:00

Bugfixes and validation of wildcard RR sets

Related links:

ldns 1.6.16 released

2012-11-13T00:00:00+01:00

OrderedDict([('br', None), ('#text', 'ldns 1.6.14 and ldns 1.6.15 had a bug in creating empty bitmaps for NSEC3 on empty non-terminals; and were unable to build a loadable pyldns module.This release has those two bugs resolved.')])

Related links:

OpenDNSSEC 1.3.11 released

2012-11-13T00:00:00+01:00

Bugfix release. For downloads and more information about future releaseplans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

NSD 3.2.14 released

2012-11-01T00:00:00+01:00

Bugfix release and TCP writev support, to improve TCP performance. See link for more information.

Related links:

ldns 1.6.15 released

2012-10-25T00:00:00+02:00

OrderedDict([('br', None), ('#text', 'Emergency release restoring binary compatibility with previous releases.ldns 1.6.14 had:n Many bugfixes thanks to code reviews, A big pyldns update and DANE support (RFC 6698), including a new example tool: ldns-dane for verifying and creating TLSA records.')])

Related links:

ldns 1.6.14 released

2012-10-23T00:00:00+02:00

Many bugfixes thanks to code reviews, A big pyldns update and DANE support (RFC 6698), including a new example tool: ldns-dane for verifying and creating TLSA records.

Related links:

OpenDNSSEC 1.3.10 released

2012-10-08T00:00:00+02:00

Bugfix release. For downloads and more information about future releaseplans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

We have a Blog

2012-09-14T00:00:00+02:00

NLnet Labs now maintains a blog. We use it to publish (technical) background informagion about design and the use of our software and other material relevant to the community.

Related links:

Blog Pages

Resilient OpenDNSSEC (MSc. thesis)

2012-08-20T00:00:00+02:00

This thesis analyses error situations in securing DNS zones with OpenDNSSEC. Recommendations are presented to increase the resilience level that OpenDNSSEC can offer against such situations.

Related links:

Unbound 1.4.18 released

2012-08-02T00:00:00+02:00

bugfixes: assertion failures, validator failure

Related links:

NSD 3.2.13 released

2012-07-27T00:00:00+02:00

Emergency release fixing another denial of service vulnerability [ VU#517036 CVE-2012-2979 ], a bugfix and a typo.

Related links:

Discovering Path MTU black holes on the Internet using RIPE Atlas (MSc. thesis)

2012-07-23T00:00:00+02:00

Measurement and analysis of Path MTU black holes due to ICMP and packet fragment filtering on the Internet.

Related links:

NSD 3.2.12 released

2012-07-19T00:00:00+02:00

Emergency release fixing a denial of service vulnerability from non-standard DNS packet from any host on the internet. [ VU#624931 CVE-2012-2978 ]

Related links:

NSD 3.2.11 released

2012-07-09T00:00:00+02:00

TLSA/DANE support, ECDSA, per zone statistics and a couple of bugfixes.

Related links:

Credns 0.2.10 released

2012-06-22T00:00:00+02:00

Software program aimed at fortifying DNSSEC by performing validation in the DNS notify/transfer-chain.

Related links:

OpenDNSSEC 1.3.9 released

2012-06-18T00:00:00+02:00

Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

RFC 6605: ECDSA for DNSSEC

2012-06-18T00:00:00+02:00

This document describes how to specify Elliptic Curve DigitalSignature Algorithm (DSA) keys and signatures in DNS Security(DNSSEC).

Related links:

RFC6605

RFC6635: RFC Editor Model (2)

2012-06-18T00:00:00+02:00

This document describes the the RFC Series functions: the RFC Series Editor,the RFC Production Center, and the RFC Publisher.

Related links:

RFC6635

RFC6672: DNAME redirection in the DNS

2012-06-18T00:00:00+02:00

The DNAME record provides redirection for a subtree of the domainname tree in the DNS.

Related links:

RFC6672

NLnet Labs Annual Report 2011

2012-06-08T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2011. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.

Related links:

Annual Report 2011 (PDF)

Dnssec-Trigger 0.11 released

2012-06-07T00:00:00+02:00

experimental package that provides DNSSEC on personal computers. Bug fixes, hotspot detection, software update.

Related links:

Roelof Meijer joins NLnet Labs' board

2012-06-04T00:00:00+02:00

As of May 31 Roelof Meijer is a member of the NLnet Labs' Board. Roelof is the CEO of SIDN, the Dutch TLD-registry which is one of the major financial contributors of NLnet Labs.

Related links:

About NLnet Labs

Unbound 1.4.17 released

2012-05-24T00:00:00+02:00

bugfixes, roundrobin, ECDSA

Related links:

ldns 1.6.13 released

2012-05-21T00:00:00+02:00

Bugfixes, ECDSA support (RFC 6605) & new commandline options to ldns-verify-zone for specifying keys, whether or not to sigchase, and inception and expiration offsets.

Related links:

OpenDNSSEC 1.3.8 released

2012-05-14T00:00:00+02:00

Minor features and two bugfixes. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

Flexible and Robust Key Rollover in DNSSEC

2012-03-28T00:00:00+02:00

Paper describing the OpenDNSSEC Enforcer NG design, presented at SATIN 2012.

Related links:

OpenDNSSEC 1.3.7 released

2012-03-13T00:00:00+01:00

Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

Dnssec-Trigger 0.10 released

2012-02-17T00:00:00+01:00

experimental package that provides DNSSEC on personal computers. Bug fixes, easier hotspot, no two popups, installer fixes.

Related links:

OpenDNSSEC 1.3.6 released

2012-02-17T00:00:00+01:00

Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

Unbound/DnssecTrigger workshop at Augsburger Linutage

2012-02-17T00:00:00+01:00

Free Unbound/DNSSEC Trigger workshop at Augsburger Linux Infotage by Carsten Strotmann, 24 March.

Related links:

Programm

NSD 3.2.10 released

2012-02-15T00:00:00+01:00

Bugfix release.

Related links:

Unbound 1.4.16 released

2012-02-02T00:00:00+01:00

Fixes bug in bugfix from 1.4.15, and other bugfixes.

Related links:

Net::DNS 0.68 released

2012-01-30T00:00:00+01:00

Bugfixes and Internationalized Domain Names support in queries

Related links:

Unbound 1.4.15 released

2012-01-26T00:00:00+01:00

Bugfixes: fix memory leak, hash randomized.

Related links:

Collaboration between SIDN and NLnet Labs

2012-01-23T00:00:00+01:00

SIDN, the company behind .nl, today signed a five-year contract with NLnet Labs. NLnet Labs - the Dutch internet technology expertise centre - has a worldwide reputation for its work in the field of DNS and DNSSEC. Through its financial backing for NLnet Labs, SIDN aims to support not only the continued development of DNS applications such as Unbound and NSD, but also NLnet Labs' general internet R&D work, at least for the next five years.

Related links:

Press Announcement

Authenticated Denial of Existence in the DNS (part 2)

2012-01-16T00:00:00+01:00

A new version of the paper on denial of existence in the DNS and how the protocol evolved. Version 2.

Related links:

ldns 1.6.12 released

2012-01-11T00:00:00+01:00

Bugfixes (including the date transposition flaw) and minor new features such as: user definable current time, SOA serial update functions and improvements of the build system.

Related links:

Dnssec-Trigger 0.9 released

2011-12-19T00:00:00+01:00

experimental package that provides DNSSEC on personal computers. unbound 1.4.14 in binary packages. minor fixes.

Related links:

Unbound 1.4.14 released

2011-12-19T00:00:00+01:00

Fix [VU#209659 CVE-2011-4528]. Bugfixes, small features.

Related links:

Unbound advisory (CVE-2011-4528)

2011-12-19T00:00:00+01:00

Denial-of-Service vulnerabilities

Related links:

Dnssec-Trigger 0.8 released

2011-12-13T00:00:00+01:00

experimental package that provides DNSSEC on personal computers. important bugfixes, SSL fallback.

Related links:

NSD 3.2.9 released

2011-11-23T00:00:00+01:00

Two new features: minimize responses to reduce the setting of the TC bit and less NSEC3 prehashing to speed up a reload after a zone transfer. Also, a fair list of bugfixes. See the Release Notes for more information.

Related links:

OpenDNSSEC 1.3.3 released

2011-11-17T00:00:00+01:00

Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

Authenticated Denial of Existence in the DNS

2011-11-09T00:00:00+01:00

Paper on denial of existence in the DNS and how the protocol evolved. It answers two simple questions: Why do you need at most two NSEC records in negative responses? And why does NSEC3 requires an extra record?

Related links:

Net::DNS 0.67 released

2011-11-07T00:00:00+01:00

Many bug fixes, a modular serial number system, experimetal work on IDN, rework of the build system.

Related links:

Dnssec-Trigger 0.7 released

2011-10-28T00:00:00+02:00

experimental new package that provides DNSSEC on personal computers. Mac install dmg, fixes.

Related links:

Dnssec-Trigger 0.6 released

2011-10-21T00:00:00+02:00

experimental test of new package that provides DNSSEC on personal computers. Fixes, XFCE and Unity support.

Related links:

Dnssec-Trigger 0.5 released

2011-09-29T00:00:00+02:00

experimental test of new package. Together with unbound provides DNSSEC on 127.0.0.1 on personal computers.

Related links:

ldns 1.6.11 released

2011-09-29T00:00:00+02:00

Bug fixes, small new features (such as more control over formatting to text) and a new contributed python module: LDNSX.

Related links:

Unbound 1.4.13 released

2011-09-15T00:00:00+02:00

bug fixes.

Related links:

OpenDNSSEC 1.3.2 released

2011-09-13T00:00:00+02:00

Two bugfixes regarding reading the backup files. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

OpenDNSSEC 1.3.1 released

2011-09-06T00:00:00+02:00

Threading bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

Multi-Path Inter-Domain Routing: The Impact on BGP's Scalability, Stability, and Resilience to Link Failures

2011-08-31T00:00:00+02:00

Multi-path routing protocols are proposed to solve transient disconnectivity during convergence time. As their name implies, these protocols are designed to explore more paths than BGP in the attempt to keep the ASes connected in case of link failures. The impact of the multi-path routing protocols on scalability, stability, and resilience to link failures are studied using simulation experiments.

Related links:

MSc. thesis (PDF)

OpenDNSSEC 1.2.2 released

2011-08-11T00:00:00+02:00

Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

Unbound 1.4.12 released

2011-07-14T00:00:00+02:00

two serious bug fixes.

Related links:

OpenDNSSEC 1.3.0 released

2011-07-12T00:00:00+02:00

Increased signing performance.

Related links:

OpenDNSSEC website

Unbound 1.4.11 released

2011-06-30T00:00:00+02:00

bug fixes, minor usability features.

Related links:

ldns 1.6.10 released

2011-05-31T00:00:00+02:00

Bug fixes

Related links:

NLnet Labs Annual Report 2010

2011-05-30T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2010. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.

Related links:

Annual Report 2010 (PDF)

Unbound 1.4.10 released

2011-05-25T00:00:00+02:00

Fixes denial-of-service assertion failure, CVE-2011-1922 VU#531342

Related links:

Unbound advisory (CVE-2011-1922)

2011-05-25T00:00:00+02:00

Denial-of-service assertion failure

Related links:

World IPv6 Day event

2011-05-12T00:00:00+02:00

On Wednesday 8 June 2011, the Dutch World IPv6 Day event will be organised at the Science Park, Amsterdam.

Related links:

Outage due to rehousing

2011-04-27T00:00:00+02:00

On Thursday 28 April 2011, NLnet Labs will move office and servers to a new location. Thereby all our services will be offline from 09:00am CET till +-12:00am. Our new location is:

Science Park 400
1098XH Amsterdam

HowTo setup DNSSEC validation

2011-04-07T00:00:00+02:00

describes use of unbound with root trust anchor.

Related links:

HowTo

Unbound 1.4.9 released

2011-03-24T00:00:00+01:00

bug fixes, not entire packet dropped if private-address is blocked.

Related links:

NSD 3.2.8 released

2011-03-22T00:00:00+01:00

bugfix release, including #216 fixing memory leak relating zone transfers.

Related links:

ldns 1.6.9 released

2011-03-18T00:00:00+01:00

bug fixes

Related links:

OpenDNSSEC 1.2.1 released

2011-03-18T00:00:00+01:00

Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

Multithreaded signing support for OpenDNSSEC

2011-03-14T00:00:00+01:00

We have changed the design so that RRsets are added to a signing queue, where a pool of signer threads (called drudgers) grab a signing task and perform it. With the SCA6000 HSM we now reach maximum performance, meaning OpenDNSSEC can do a 13.000+ signatures per second. The .se zone can now be signed in 2 minute 50 seconds, of which 1 minute 14 seconds are signing operations.

Related links:

Read more on the OpenDNSSEC website

ldns 1.6.8 released

2011-01-24T00:00:00+01:00

bug fixes

Related links:

NSD 3.2.7 released

2011-01-24T00:00:00+01:00

small bugfix release, #347 being the most important fix (NSEC3 related)

Related links:

Unbound 1.4.8 released

2011-01-24T00:00:00+01:00

bug fixes, so-sndbuf, more lenient algorithm rollover supported.

Related links:

OpenDNSSEC 1.2.0 out now

2011-01-14T00:00:00+01:00

OpenDNSSEC 1.2.0 is released today. Python dependencies are dropped: the whole signer engine is now written in c. Improvements on the enforcer. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

AFNIC offered a yearly Subsidy

2010-11-22T00:00:00+01:00

AFNIC has generously offered a yearly subsidy that aids the NLnet Labs Foundation to accomplish its chartered goals. AFNIC's Head of R&D, Mohsen Souissi: "We want to express support for the open source and open standards work that NLnet Labs is pursuing. By producing stable and high quality DNSSEC-enabled software they are bringing needed code diversity to the DNS industry and lowering the bar for global DNSSEC deployment. The organization deserves our sustained support

Related links:

More information about contributing to NLnet Labs

ldns 1.6.7 released

2010-11-08T00:00:00+01:00

bug fixes, experimental ecdsa support

Related links:

Unbound 1.4.7 released

2010-11-08T00:00:00+01:00

Bug fixes, unbound-anchor for automated DNSSEC root key tracking, that works if you have been offline.

Related links:

Unbound timeout article

2010-11-08T00:00:00+01:00

There is an article that describes how unbound manages timeouts from remote servers.

Related links:

Unbound documentation

Unbound requestlist article

2010-10-21T00:00:00+02:00

Men&Mice has a nice article describing how the unbound requestlist works.

Related links:

Article

Secure Routing: State-of-the-Art Deployment and Impact on Network Resilience

2010-09-28T00:00:00+02:00

This ENISA publication reports on a study by NLnet Labs and GNKS Consult, surveying current state-of-the-art secure routing technologies. Network operators, engineers, and researchers are interviewed on the deployment of secure routing technology, its performance expectations and operating experiences, and future perspectives.

Related links:

ENISA Secure Routing Report (PDF)

Impact of Topology on BGP Convergence

2010-08-23T00:00:00+02:00

This MSc. thesis in collaboration with VU University Amsterdam, reports on the study to understand how the underlying topology of the Internet influences BGP performance. A highly scalable simulator is used to simulate full-scale AS-level Internet. We found that BGP is sensitive to certain topological characteristics of the Internet, while remain completely unaffected on variation in some other characteristics.

Related links:

MSc. thesis (PDF)

ldns 1.6.6 released

2010-08-09T00:00:00+02:00

bug fixes release

Related links:

Unbound 1.4.6 released

2010-08-03T00:00:00+02:00

Bug fixes, GOST support.

Related links:

NSD 3.2.6 released

2010-08-02T00:00:00+02:00

small bugfix release, but also has a new feature and some operational changes

Related links:

Flavors of Unbound

2010-07-28T00:00:00+02:00

Men & Mice have published an article on how to select between different flavors of Unbound compilation. This article explains the technical differences of the possible flavors of Unbound and gives proposals under which type of DNS workload a specific flavor will perform best. The article will be kept updated when new versions of unbound are released.

Related links:

DNSSEC Root Key declaration

2010-07-14T00:00:00+02:00

On 16 June 2010 around 21:20 UTC Olaf Kolkman witnessed a key generation procedure by which a DNSSEC Key Signing Key for signing the DNS root has been created. The key is known with key-ID 19036.

Related links:

PGP Signed Declaration containing the DS hash

Testing Key States of RFC 5011 in Autotrust

2010-07-12T00:00:00+02:00

Carsten Rutz of Radboud University investigated the usability of time model-based testing in a case study: Conformance of the implementation Autotrust with RFC 5011. The results are presented in a bachelor thesis.

Related links:

HTML
PDF

ldns 1.6.5 released

2010-06-15T00:00:00+02:00

bug fixes, TALINK, GOST (disabled by default).

Related links:

Unbound 1.4.5 released

2010-06-15T00:00:00+02:00

bug fixes.

Related links:

NLnet Labs Annual Report 2009

2010-06-02T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2009. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.

Related links:

Annual Report 2009 (PDF)

Unbound 1.4.4 released

2010-04-22T00:00:00+02:00

bug fixes.

Related links:

NSD 3.2.5 released

2010-04-14T00:00:00+02:00

Optimized, NSID friendly NSD release

Related links:

NSEC3 Hash Performance

2010-03-18T00:00:00+01:00

We have measured the effect ofthe number of hash iterations in NSEC3 in terms of maximum query load usingNSD and Unbound. This document presents the results of these measurementsand compares the cost for validating and authoritative name servers and allowsfor an educated choice for these parameters.

Related links:

Unbound 1.4.3 released

2010-03-11T00:00:00+01:00

crash fix for 64bit platforms.

Related links:

Unbound 1.4.2 released

2010-03-09T00:00:00+01:00

bugfix.

Related links:

Stale keys and unbound behaviour

2010-02-12T00:00:00+01:00

Statement regarding concerns about stale keys and Unbound behavior

Related links:

mail

OpenDNSSEC 1.0.0 out now

2010-02-09T00:00:00+01:00

The first official OpenDNSSEC release is available right now. For downloads and more information about future release plans, visit the OpenDNSSEC website.

Related links:

OpenDNSSEC website

ldns 1.6.4 released

2010-01-20T00:00:00+01:00

This new release has the pyldns contribution by Zdenek Vasicek and Karel Slany imported. Plus bug fixes.

Related links:

NSD 3.2.4 released

2010-01-06T00:00:00+01:00

This new NSD release comes with some new configure options, DLV record support and some bugfixes.

Related links:

Unbound 1.4.1 released

2009-12-17T00:00:00+01:00

bugfix.

Related links:

ldns 1.6.3 released

2009-12-04T00:00:00+01:00

Small bugfix release.

Related links:

Unbound 1.4.0 released

2009-11-26T00:00:00+01:00

RFC5011, RFC5702 features and bugfixes.

Related links:

ldns 1.6.2 released

2009-11-12T00:00:00+01:00

Enables SHA2 by default. Fixes lots of bugs for OpenDNSSEC and other. ldns-sign-zone will minimally sign the DNSKEY rrset.

Related links:

Securing DNS: Extending DNS Servers with a DNSSEC Validator

2009-10-27T00:00:00+01:00

DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a challenge. _i(Published in IEEE Security & Privacy), _i(Sept/Oct. 2009.)

Related links:

Securing DNS (DOI Bookmark)

Unbound 1.3.4 released

2009-10-07T00:00:00+02:00

DNSSEC downgrade bug fixed.

Related links:

autotrust 0.3.1 released

2009-09-08T00:00:00+02:00

This new autotrust release offers some new features like syslog and resolver reloading, as well as some bug fixes. Also, the configuration file format has changed, to be more in line with Unbound.

Related links:

SURFnet deploys DNSSEC and uses Unbound

2009-09-08T00:00:00+02:00

SURFnet announces that all SURFnet DNS (Domain Name System) resolvers now support DNSSEC. SURFnet uses Unbound as its resolver of choice. SURFnet is one of the first networks in the Netherlands to support DNSSEC.

Related links:

More information

Innovation vouchers

2009-08-28T00:00:00+02:00

For Dutch companies there is, under a program to promote innovation, the possibility to receive a 2.500 Euro subsidy. The NLnet foundation, our mother, has a program that allows furthering of open source software by any Dutch company that is registered with the Chamber of Commerce. It takes 10 minutes to fill in the paperwork and direct those 2.500 Euro toward a good purpose.

Related links:

NLnet innovation vouchers

NSD 3.2.3 released

2009-08-17T00:00:00+02:00

Bugfixes

Related links:

ldns 1.6.1 released

2009-08-14T00:00:00+02:00

Bugfixes, minor features.

Related links:

Unbound 1.3.3 released

2009-08-04T00:00:00+02:00

Bugfixes, minor features.

Related links:

OpenDNSSEC technology preview

2009-07-30T00:00:00+02:00

The OpenDNSSEC project announces the development of Open Source software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security. Visit the OpenDNSSEC website for more information and to download the technology preview.

Related links:

OpenDNSSEC website

NLnet Labs is hiring

2009-07-25T00:00:00+02:00

We are looking for enthusiastic programmer/developers to complete our 6 persons team. Somebody who will be developing and maintaining open source software and open standards.

Related links:

More information

Unbound 1.3.2 released

2009-07-13T00:00:00+02:00

Windows port fixed.

Related links:

ldns 1.6.0 released

2009-07-09T00:00:00+02:00

Bugfixes, minor features.

Related links:

Unbound 1.3.1 released

2009-07-09T00:00:00+02:00

Bugfixes.

Related links:

BSD Podcast

2009-07-08T00:00:00+02:00

The bsdtalk podcast by Will Backman interviews WouterWijngaards about the Unbound resolver.

Related links:

bsdtalk 176

DNSSEC HOWTO updated

2009-07-04T00:00:00+02:00

The DNSSEC HOWTO received its first public update after 2007. Examples have been updated to use recent versions of the software, Unbound configuration has been added, and some new material has been added.

Related links:

Unbound 1.3.0 released

2009-06-11T00:00:00+02:00

Windows port. Python contribution. Bugfixes.

Related links:

NLnet Labs Annual Report 2008

2009-06-08T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2008. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.

Related links:

Annual Report 2008 (PDF)

NSD 3.2.2 release [critical]

2009-05-18T00:00:00+02:00

Critical bugfix release for NSD.

Related links:

NSD Vulnerability Announcement

2009-05-18T00:00:00+02:00

A one-byte buffer overflow has been detected in the NSD software. A fix is ready for download.

Related links:

RFI for Unbound Tech Support

2009-04-21T00:00:00+02:00

NLnet Labs is seeking information about organizations that would be willing and able to provide first and second line support for Unbound and would like to know more about their ideas on organization and cooperation.

Related links:

RFI-support

Implementing OpenLISP with LISP+ALT

2009-04-14T00:00:00+02:00

The LISP protocol has been developed to address the growth of the BGP routing table in the DFZ. OpenLISP is an implementation of this protocol, but does not include a location mapping service. This reports describes how a mapping locations service should interact with OpenLISP, GRE and Quagga to use LISP+ALT as a control plane.

Related links:

OpenLISP report (PDF)

ldns 1.5.1 released

2009-02-10T00:00:00+01:00

Bugfix release for the zone signer in ldns 1.5

Related links:

Unbound 1.2.1 released

2009-02-10T00:00:00+01:00

Bugfix release, features for smoother operations.

Related links:

ldns 1.5.0 released

2009-02-09T00:00:00+01:00

New version of ldns

Related links:

NSD 3.2.1. out now

2009-01-19T00:00:00+01:00

Mainly a bugfix release, but also some new features. Fixes AXFR fallback discussion.

Related links:

Unbound 1.2.0 released

2009-01-14T00:00:00+01:00

Minor features and important, security related, bugfixes.

Related links:

ldns 1.4.1 released

2008-12-19T00:00:00+01:00

New version of ldns; A couple of NSEC3 related bugs have fixed, as well some gripes in the build scripts.

Related links:

NLnet Labs joins DNSSEC industry coalition to Increase Adoption of Domain Name Security Extensions (DNSSEC).

2008-12-11T00:00:00+01:00

The DNSSEC Industry Coalition is a global group of registries and industry experts whose mission is to work collaboratively to facilitate adoption of Domain Name Security Extensions (DNSSEC) and streamline the implementations across Domain Name Registries. Members work together to establish a consistent set of tools and applications, shared best practices, specifications and shared nomenclature. DNSSEC Industry Coalition members include both generic Top-Level Domain and country code Top-Level Domain registries along with industry and educational experts of the Domain Name System.

Related links:

Unbound operation explained in book

2008-12-08T00:00:00+01:00

Book "Alternative DNS Servers", also describes Unbound and NSD operation.

Related links:

Unbound 1.1.1 released

2008-11-24T00:00:00+01:00

bugfixes.

Related links:

Unbound 1.1.0 released

2008-11-18T00:00:00+01:00

DLV support, statistics and lots of other features that have been requested. Also bugfixes.

Related links:

NSD 3.2.0 released

2008-11-10T00:00:00+01:00

A "feature rich" release. Contains longstanding requests such as SHA support for TSIG and configuration options for setting the outgoing interface. Also AXFR fallback, and IXFR on TCP by default. VERY IMPORTANT: The format of ixfr.db has changed, so be sure to process the old one before updating to 3.2.0.

Related links:

ldns 1.4.0 released

2008-11-07T00:00:00+01:00

New version of ldns; some small new and fixed features, and a number of bugs fixed

Related links:

DNSSEC Key Maintenance Analysis

2008-10-23T00:00:00+02:00

This document provides recommendations for the generation, storage and use of keys in the context of DNSSEC. It is a followup of NLnet Labs document 2006-SE-01: DNS Threat Analysis, written for .SE.

Related links:

Enforcing Integrity of Agent Migration Paths by Distribution of Trust

2008-09-25T00:00:00+02:00

Agent mobility is the ability of an agent to migrate from one location to another across a network. Though conceptually relatively straightforward, in practice security of mobile agents is a challenge. This paper discusses the security issues involved and proposes protocols for secure agent migration. AgentScape, an agent platform for mobile agents, is used to illustrate the feasibility of the implementation of these protocols.

Related links:

Download article (pdf)

Master Thesis BGP Modeling and Simulation

2008-09-08T00:00:00+02:00

In this thesis we present a new approach to BGP simulation. Instead of focussing on intra-domain communication, network and protocol are highly abstracted in order to allow for large-scale simulation. We describe our model of the BGP protocol along with its implementation. Many tracks of future researc are shown as well as many possible uses of this kind of approach to BGP simulation.

Related links:

Download master thesis (pdf)

Japan Unbound User Group

2008-09-04T00:00:00+02:00

The Japan Unbound Users Group has opened its website today, with unbound documentation, support and forum in Japanese.

Related links:

http://unbound.jp/

Annual Report 2007 released

2008-08-22T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2007. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.

Related links:

Annual Report 2007(pdf)

Unbound 1.0.2 released

2008-08-07T00:00:00+02:00

This release contains filtering fixes to prevent certaintypes of exploits. Also bugfixes.

Related links:

NSD 3.1.1 released

2008-07-21T00:00:00+02:00

This release contains mainly bugfixes. It also allows you to configure the maximum number of allowed interfaces. If you use it, it can have consequences for your memory usage.

Related links:

DNS Cache Poisoning Vulnerability

2008-07-19T00:00:00+02:00

Statement about US-CERT Vulnerability Note VU#800113 and Unbound

Related links:

NSD 3.1.0 released

2008-06-23T00:00:00+02:00

New version of NSD. It supports NSEC3 by default, has a "hide-version" configuration setting, to stop NSD answering from CHAOS class version requests, has bind2nsd 0.5.0, has some bugfixes resolved and reports source and zone for denied AXFR attempts. Some operational notes: the default locations of nsd.db, ixfr.db and xfrd.state are changed to the /var/db/nsd/ directory.

Related links:

ldns 1.3.0 released

2008-06-02T00:00:00+02:00

New version of ldns; If Unbound is to be linked against a separate copy of ldns, this version should be used. There are also some notable features, such as HSM support for DNSSEC signing, and nicer output for signature chasing.

Related links:

Unbound 1.0.0 released

2008-05-20T00:00:00+02:00

The public release of Unbound, a fast recursive validating caching DNS server.

Related links:

HSM Tutorial

2008-05-13T00:00:00+02:00

An introduction to the use of HSM.

Related links:

NSD 3.0.8 Release

2008-04-18T00:00:00+02:00

Better logging for nsd-notify, Add chkconfig configuration, nsdc bugfixes, strptime fix, more (bugzilla) fixes and logging features.

Related links:

ldns 1.2.2 Release

2007-11-28T00:00:00+01:00

We released a new version of ldns. There are some bugfixes, an added example tool, and hmac-md5 support for keys.

Related links:

NSD 3.0.7 Release

2007-11-13T00:00:00+01:00

Fixup of error handling for bad data in IXFRs. Manual page syntax improvements.

Related links:

NSD project page

Design of a Secure and Decentralized Location Service for Agent Platforms

2007-09-19T00:00:00+02:00

Publication on designing of a secure and decentralized location service for agent platforms.

Related links:

Download

Formalization and Verification of the Shim6 Protocol

2007-07-16T00:00:00+02:00

Publication on formalization and verification of the shim6 protocol.

Related links:

Annual Report 2006

2007-05-21T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2006. In it we present an overview of Labs' various activities and describe their impact.

Related links:

Download

DNS Threat Analysis

2007-05-03T00:00:00+02:00

Publication on DNS Threat Analysis.

Related links:

Download

NSD 2.3.7 Release

2007-04-16T00:00:00+02:00

This is a bug-fix release on our older maintenance branch of NSD. It includes a fixup of type WKS printing from nsd-xfer, a fixup in a call to getservbyport. There are changes in the getaddrinfo error message and a change to make it fall back to IPv4 if it fails for IPv6. A typecast is added to satisfy the compiler. Furthermore a cleanup of the text for NOTAUTH error code.

Related links:

NSD project page

NSD Memory Usage Estimate

2007-04-13T00:00:00+02:00

Small web tool added to make a memory size indication given zone specification.

Related links:

ldns 1.2.0 Release

2007-04-11T00:00:00+02:00

We released a new version of ldns. There are a lot of bugfixes, some more examples, and drill has had significant updates.

Related links:

NSD Powers Secure64 DNS Solution

2007-03-31T00:00:00+02:00

Secure64 is a company specialized in secure and high-performance applications. They have developed SourceT, a micro operating system geared towards secure network systems on Itanium processors. NSD has been ported to SourceT, and is used as the name server software of their Secure64 DNS product, providing RFC-compliant, DNSSEC-enabled, fast DNS services on top of their SourceT operating system. They have performed benchmarks on a Itanium machine with SourceT running NSD, and have been able to handle a query load of over 100,000 queries per second with only 1 CPU. The system was able to sustain DNS service in the face of a variety of common attack profiles until the network link was saturated.

Related links:

Annual Report 2005

2006-06-18T00:00:00+02:00

We are happy to present NLnet Labs Annual report 2005. In it we present an overview of Labs' various activities and describe their impact.

Related links:

Download