Software updates

NSD 4.0.3 released

Fri, 14 Mar 2014
Fix start-stop problems.
NSD project page. Direct Download.

NSD 4.0.2 released

Wed, 12 Mar 2014
Fix memory leaks. Fix ipv6 by disable of recvmmsg. REFUSED for nonhosted zones.
NSD project page. Direct Download.

Unbound 1.4.22 released

Wed, 12 March 2014
no libldns dependency, fix trustanchor full filesystem, fix lenience on validation of nxdomain empty nonterminals
Unbound website. Direct Download. Changes.

getdns 0.1.0 beta released

Wed, 26 Feb 2014
The first beta release of an open source implementation of the getdns API specification. This is an collaborative effort with Verisign and No Mountain Software.
Poject page. Direct Download. API specification.

NSD 3.2.17 released

Mon, 27 Jan 2014
Bug fixes and CAA RRtype added.
NSD project page. Direct Download.

Net::DNS 0.74 released

Thu, 16 Jan 2014
Resolves a pressing bug with TSIG. Support for CAA, EUI48 and EUI64 RR types
Net::DNS 0.74 release announcement. Project website. Direct Download. Changes.

ldns 1.6.17 released

Fri, 10 Jan 2014
Many bugfixes, All current (draft) RR types implemented, Better ldns-verify-zone performance and Perl5 bindings with the DNS::LDNS module.
ldns project page. Direct Download. Changes.

Net::DNS::SEC 0.17 released

Fri, 29 Nov 2012
Bugfixes and validation of wildcard RR sets
Net::DNS::SEC 0.17 release announcement. Project website. Direct Download. Changes.

OpenDNSSEC 1.4.0 released

Mon, 22 April 2013
Version 1.4.0 of OpenDNSSEC has now been released. It includes support for AXFR and IXFR, both input and output; HSM login; and more. Also the Auditor is deprecated.
More information.

Credns 0.2.10 released

Fri, 22 Jun 2012
Software program aimed at fortifying DNSSEC by performing validation in the DNS notify/transfer-chain.
Details. Direct Download.

Dnssec-Trigger 0.11 released

Thu, 7 Jun 2012
experimental package that provides DNSSEC on personal computers. Bug fixes, hotspot detection, software update.
Details. Direct Download. Changes.

NSD 4.0.1 released

Mon, 27 Jan 2014
Fix segfaults for type WKS, for NSEC3-IXFRs in a co-hosted parent and child zone situation. CAA, EUI48, EUI64 support. smaller fixes.
NSD project page. Direct Download.

Net::DNS 0.73 released

Fri, 29 Nov 2013
Bugfixes, TSIG validation and TSIG support for HMAC-SHA1 .. HMAC-SHA512
Net::DNS 0.73 release announcement. Project website. Direct Download. Changes.

NSD 4.0.0 released

Tue, 29 Oct 2013
New major release with many features: dynamically reconfig to add and remove zones, more TCP support, many more zones loaded, faster speed.
NSD project page. Direct Download.

Unbound 1.4.21 released

Thu, 19 September 2013
bugfixes, y2038k, add_insecure, more includes, max-udp
Unbound website. Direct Download. Changes.

NSD 3.2.16 released

Mon, 22 Jul 2013
EUI48 and EUI64 RR types, improvements to RRL, new config options.
NSD project page. Direct Download.

Unbound 1.4.20 released

Thu, 21 March 2013
bugfixes, TTL from libunbound
Unbound website. Direct Download. Changes.

OpenDNSSEC 1.3.13 released

Wed, 20 Feb 2013
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

NSD 3.2.15 released

Mon, 4 Feb 2013
RRL, ILNP RR types, improved TSIG initialization, bugfixes.
NSD project page. Direct Download.

Net::DNS 0.72 released

Fri, 28 Dec 2012
Minor bugfix release which resolves issues with TSIG introduced in 0.69.
Net::DNS 0.72 release announcement. Project website. Direct Download. Changes.

Net::DNS 0.71 released

Sat, 15 Dec 2012
Critical bugfixes. A temporary workaround to make sa-update tick again.
Net::DNS 0.71 release announcement. Project website. Direct Download. Changes.

Unbound 1.4.19 released

Thu, 12 December 2012
bugfixes, RSAMD5 deprecated
Unbound website. Direct Download. Changes.

Net::DNS 0.70 released

Thu, 6 Dec 2012
Internationalized Domain Names support in owner names and rdata fields.
Everything new in 0.69 + RFC6742 support


Net::DNS 0.69 release announcement. Project website. Direct Download. Changes.

OpenDNSSEC 1.3.12 released

Mon, 3 Dec 2012
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

ldns 1.6.16 released

Tue, 13 Nov 2012
ldns 1.6.14 and ldns 1.6.15 had a bug in creating empty bitmaps for NSEC3 on empty non-terminals; and were unable to build a loadable pyldns module.
This release has those two bugs resolved.


ldns project page. Direct Download. Changes.

OpenDNSSEC 1.3.11 released

Tue, 13 Nov 2012
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

NSD 3.2.14 released

Thu, 1 Nov 2012
Bugfix release and TCP writev support, to improve TCP performance. See link for more information.
NSD project page. Direct Download. RIPE Labs: Comparing TCP and UDP Response Times of DNS Root Servers.

ldns 1.6.15 released

Tue, 25 Oct 2012
Emergency release restoring binary compatibility with previous releases.
ldns 1.6.14 had: Many bugfixes thanks to code reviews, A big pyldns update and DANE support (RFC 6698), including a new example tool: ldns-dane for verifying and creating TLSA records.


ldns project page. Direct Download. Changes.

ldns 1.6.14 released

Tue, 23 Oct 2012
Many bugfixes thanks to code reviews, A big pyldns update and DANE support (RFC 6698), including a new example tool: ldns-dane for verifying and creating TLSA records.
ldns project page. Direct Download. Changes.

OpenDNSSEC 1.3.10 released

Mon, 8 Oct 2012
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

Unbound 1.4.18 released

Thu, 2 August 2012
bugfixes: assertion failures, validator failure
Unbound website. Direct Download. Changes.

NSD 3.2.13 released

Fri, 27 Jul 2012
Emergency release fixing another denial of service vulnerability VU#517036 CVE-2012-2979 , a bugfix and a typo.
NSD project page. Direct Download.

NSD 3.2.12 released

Thu, 19 Jul 2012
Emergency release fixing a denial of service vulnerability from non-standard DNS packet from any host on the internet. VU#624931 CVE-2012-2978
NSD project page. Direct Download.

NSD 3.2.11 released

Mon, 9 Jul 2012
TLSA/DANE support, ECDSA, per zone statistics and a couple of bugfixes.
NSD project page. Direct Download.

OpenDNSSEC 1.3.9 released

Mon, 18 June 2012
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

Unbound 1.4.17 released

Thu, 24 May 2012
bugfixes, roundrobin, ECDSA
Unbound website. Direct Download. Changes.

ldns 1.6.13 released

Mon, 21 May 2012
Bugfixes, ECDSA support (RFC 6605) & new commandline options to ldns-verify-zone for specifying keys, whether or not to sigchase, and inception and expiration offsets.
ldns project page. Direct Download. Changes.

OpenDNSSEC 1.3.8 released

Mon, 14 May 2012
Minor features and two bugfixes. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

OpenDNSSEC 1.3.7 released

Tue, 13 Mar 2012
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

OpenDNSSEC 1.3.6 released

Fri, 17 Feb 2012
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

Dnssec-Trigger 0.10 released

Fri, 17 Feb 2012
experimental package that provides DNSSEC on personal computers. Bug fixes, easier hotspot, no two popups, installer fixes.
Details. Direct Download. Changes.

NSD 3.2.10 released

Wed, 15 Feb 2012
Bugfix release.
NSD project page. Direct Download.

Unbound 1.4.16 released

Thu, 2 Feb 2012
Fixes bug in bugfix from 1.4.15, and other bugfixes.
Unbound website. Direct Download. Changes.

Net::DNS 0.68 released

Mon, 30 Jan 2012
Bugfixes and Internationalized Domain Names support in queries
Net::DNS 0.68 release announcement. Project website. Direct Download. Changes.

Unbound 1.4.15 released

Thu, 26 Jan 2012
Bugfixes: fix memory leak, hash randomized.
Unbound website. Direct Download. Changes.

ldns 1.6.12 released

Wed, 11 Jan 2012
Bugfixes (including the date transposition flaw) and minor new features such as: user definable ``current'' time, SOA serial update functions and improvements of the build system.
ldns project page. Direct Download. Changes.

Dnssec-Trigger 0.9 released

Mon, 19 Dec 2011
experimental package that provides DNSSEC on personal computers. unbound 1.4.14 in binary packages. minor fixes.
Details. Direct Download. Changes.

Unbound 1.4.14 released

Mon, 19 Dec 2011
Fix VU#209659 CVE-2011-4528. Bugfixes, small features.
Unbound website. Direct Download. Changes.

Dnssec-Trigger 0.8 released

Tue, 13 Dec 2011
experimental package that provides DNSSEC on personal computers. important bugfixes, SSL fallback.
Details. Direct Download. Changes.

NSD 3.2.9 released

Wed, 23 Nov 2011
Two new features: minimize responses to reduce the setting of the TC bit and less NSEC3 prehashing to speed up a reload after a zone transfer. Also, a fair list of bugfixes. See the Release Notes for more information.
NSD project page. Direct Download.

OpenDNSSEC 1.3.3 released

Thu, 17 Nov 2011
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

Net::DNS 0.67 released

Mon, 7 Nov 2011
Many bug fixes, a modular serial number system, experimetal work on IDN, rework of the build system.
Net::DNS 0.67 release announcement. Project website. Direct Download. Changes.

Dnssec-Trigger 0.7 released

Fri, 28 Oct 2011
experimental new package that provides DNSSEC on personal computers. Mac install dmg, fixes.
Details. Direct Download. Changes.

Dnssec-Trigger 0.6 released

Fri, 21 Oct 2011
experimental test of new package that provides DNSSEC on personal computers. Fixes, XFCE and Unity support.
Details. Direct Download. Changes.

Dnssec-Trigger 0.5 released

Thu, 29 Sep 2011
experimental test of new package. Together with unbound provides DNSSEC on 127.0.0.1 on personal computers.
Details. Direct Download.

ldns 1.6.11 released

Thu, 29 Sep 2011
Bug fixes, small new features (such as more control over formatting to text) and a new contributed python module: LDNSX.
ldns project page. Direct Download. Changes.

Unbound 1.4.13 released

Thu, 15 Sep 2011

OpenDNSSEC 1.3.2 released

Tue, 13 Sep 2011
Two bugfixes regarding reading the backup files. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

OpenDNSSEC 1.3.1 released

Wed, 6 Sep 2011
Threading bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

OpenDNSSEC 1.2.2 released

Thu, 11 Aug 2011
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

OpenDNSSEC 1.3.0 released

Tue, 12 Jul 2011
Increased signing performance.
OpenDNSSEC website.

Unbound 1.4.12 released

Thu, 14 Jul 2011
two serious bug fixes.
Unbound website. Direct Download. Changes.

Unbound 1.4.11 released

Thu, 30 Jun 2011
bug fixes, minor usability features.
Unbound website. Direct Download. Changes.

ldns 1.6.10 released

Tue, 31 May 2011

Unbound 1.4.10 released

Wed, 25 May 2011
Fixes denial-of-service assertion failure, CVE-2011-1922 VU#531342
Unbound website. Direct Download. Changes. Details.

Unbound 1.4.9 released

Thu, 24 Mar 2011
bug fixes, not entire packet dropped if private-address is blocked.
Unbound website. Direct Download. Changes.

NSD 3.2.8 released

Tue, 22 Mar 2011
bugfix release, including #216 fixing memory leak relating zone transfers.
NSD project page. Direct Download.

OpenDNSSEC 1.2.1 released

Fri, 18 Mar 2011
Bugfix release. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

ldns 1.6.9 released

Wed, 18 Mar 2011

Unbound 1.4.8 released

Mon, 24 Jan 2011
bug fixes, so-sndbuf, more lenient algorithm rollover supported.
Unbound website. Direct Download. Changes.

ldns 1.6.8 released

Mon, 24 Jan 2011

NSD 3.2.7 released

Mon, 24 Jan 2011
small bugfix release, #347 being the most important fix (NSEC3 related)
NSD project page. Direct Download.

OpenDNSSEC 1.2.0 out now

Fri, 14 Jan 2011
OpenDNSSEC 1.2.0 is released today. Python dependencies are dropped: the whole signer engine is now written in c. Improvements on the enforcer. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

Unbound 1.4.7 released

Mon, 8 Nov 2010
bug fixes, unbound-anchor for automated DNSSEC root key tracking, that works if you have been offline.
Unbound website. Direct Download. Changes.

ldns 1.6.7 released

Mon, 8 Nov 2010
bug fixes, experimental ecdsa support
Direct Download. Changes.

ldns 1.6.6 released

Mon, Aug 9 2010
bug fixes release
Direct Download. Changes.

Unbound 1.4.6 released

Tue, Aug 3 2010
bug fixes, GOST support.
Unbound website. Direct Download. Changes.

NSD 3.2.6 released

Mon, Aug 2 2010
small bugfix release, but also has a new feature and some operational changes
NSD project page. Direct Download.

Unbound 1.4.5 released

Tue, Jun 15 2010

ldns 1.6.5 released

Tue, Jun 15 2010
bug fixes, TALINK, GOST (disabled by default).
Direct Download. Changes.

Unbound 1.4.4 released

Thu, Apr 22 2010

NSD 3.2.5 released

Wed, Apr 14 2010
Optimized, NSID friendly NSD release
NSD project page. Direct Download.

Unbound 1.4.3 released

Tue, Mar 11 2010
crash fix for 64bit platforms.
Unbound website. Direct Download. Changes.

Unbound 1.4.2 released

Tue, Mar 09 2010

OpenDNSSEC 1.0.0 out now

Tue, Feb 9 2010
The first official OpenDNSSEC release is available right now. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

ldns 1.6.4 released

Wed, Jan 20 2010
This new release has the pyldns contribution by Zdenek Vasicek and Karel Slany imported. Plus bug fixes.
Direct Download. Changes.

NSD 3.2.4 released

Wed, Jan 6 2010
This new NSD release comes with some new configure options, DLV record support and some bugfixes.
NSD project page. Direct Download.

Unbound 1.4.1 released

Thu, Dec 17 2009

ldns 1.6.3 released

Fri, Dec 4 2009
Small bugfix release.
Direct Download. Changes.

Unbound 1.4.0 released

Thu, Nov 26 2009
RFC5011, RFC5702 features and bugfixes.
Unbound website. Direct Download. Changes.

ldns 1.6.2 released

Thu, Nov 12 2009
Enables SHA2 by default. Fixes lots of bugs for OpenDNSSEC and other. ldns-sign-zone will minimally sign the DNSKEY rrset.
Direct Download. Changes.

Unbound 1.3.4 released

Wed, Oct 7 2009
DNSSEC downgrade bug fixed.
Unbound website. Direct Download. Changes.

autotrust 0.3.1 released

Tue, Sep 8 2009
This new autotrust release offers some new features like syslog and resolver reloading, as well as some bug fixes. Also, the configuration file format has changed, to be more in line with Unbound.
Direct Download. Changelog.

NSD 3.2.3 released

Mon, Aug 17 2009

ldns 1.6.1 released

Fri, Aug 14 2009

Unbound 1.3.3 released

Tue, Aug 4 2009
Bugfixes, minor features.
Unbound website. Direct Download. Changes.

Unbound 1.3.2 released

Thu, Jul 13 2009
Windows port fixed.
Unbound website. Direct Download. Changes.

Unbound 1.3.1 released

Thu, Jul 9 2009

ldns 1.6.0 released

Thu, Jul 9 2009

Unbound 1.3.0 released

Thu, Jun 11 2009
Windows port. Python contribution. Bugfixes.
Unbound website. Direct Download. Changes.

NSD 3.2.2 release critical

Mon, May 18 2009
Critical bugfix release for NSD.
NSD project page. Direct Download.

ldns 1.5.1 released

Tue, Feb 10 2009
Bugfix release for the zone signer in ldns 1.5
ldns project page. Direct Download. Changelog.

Unbound 1.2.1 released

Tue, Feb 10 2009
Bugfix release, features for smoother operations.
Unbound website. Direct Download. Changes.

ldns 1.5.0 released

Mon, Feb 9 2009

NSD 3.2.1. out now

Mon, Jan 19 2009
Mainly a bugfix release, but also some new features. Fixes AXFR fallback discussion.
NSD project page. Direct Download. Changelog.

Unbound 1.2.0 released

Wed, Jan 14 2009
Minor features and important, security related, bugfixes.
Unbound website. Direct Download. Changes.

ldns 1.4.1 released

Fri, Dec 19 2008
New version of ldns; A couple of NSEC3 related bugs have fixed, as well some gripes in the build scripts.
ldns project page. Direct Download. Changelog.

Unbound 1.1.1 released

Thu, Nov 24 2008

Unbound 1.1.0 released

Thu, Nov 18 2008
DLV support, statistics and lots of other features that have been requested. Also bugfixes.
Unbound website. Direct Download. Changes.

NSD 3.2.0 released

Mon, Nov 10 2008
A "feature rich" release. Contains longstanding requests such as SHA support for TSIG and configuration options for setting the outgoing interface. Also AXFR fallback, and IXFR on TCP by default. VERY IMPORTANT: The format of ixfr.db has changed, so be sure to process the old one before updating to 3.2.0.
NSD project page. Direct Download. Changelog.

ldns 1.4.0 released

Fri, Nov 7 2008
New version of ldns; some small new and fixed features, and a number of bugs fixed
ldns project page. Direct Download. Changelog.

Unbound 1.0.2 released

Thu, Aug 7 2008
This release contains filtering fixes to prevent certain types of exploits. Also bugfixes. More discussion in the announcement.
Unbound website. Direct Download. Announcement.

NSD 3.1.1 released

Mon, Jul 21 2008
This release contains mainly bugfixes. It also allows you to configure the maximum number of allowed interfaces. If you use it, it can have consequences for your memory usage.
NSD project page. Direct Download. Changelog.

NSD 3.1.0 released

Mon, Jun 23 2008
New version of NSD. It supports NSEC3 by default, has a "hide-version" configuration setting, to stop NSD answering from CHAOS class version requests, has bind2nsd 0.5.0, has some bugfixes resolved and reports source and zone for denied AXFR attempts. Some operational notes: the default locations of nsd.db, ixfr.db and xfrd.state are changed to the /var/db/nsd/ directory.
NSD project page. Direct Download. Changelog.

ldns 1.3.0 released

Tue, Jun 2 2008
New version of ldns; If Unbound is to be linked against a separate copy of ldns, this version should be used. There are also some notable features, such as HSM support for DNSSEC signing, and nicer output for signature chasing.
ldns project page. Direct Download. Changelog.

Unbound 1.0.0 released

Tue, May 20 2008
The public release of Unbound, a fast recursive validating caching DNS server.

Unbound logo

Unbound project page. Press release. Direct download.

NSD 3.0.8 Release

Fri, Apr 18 2008
Better logging for nsd-notify, Add chkconfig configuration, nsdc bugfixes, strptime fix, more (bugzilla) fixes and logging features.
NSD project page. Direct Download. Changelog.

ldns 1.2.2 Release

Wed, Nov 28 2007
We released a new version of ldns. There are some bugfixes, an added example tool, and hmac-md5 support for keys.
ldns project page. Direct Download. Changelog.

NSD 3.0.7 Release

Tue, Nov 13 2007
Fixup of error handling for bad data in IXFRs. Manual page syntax improvements.
NSD project page.

NSD 2.3.7 Release

Mon, Apr 16 2007
This is a bug-fix release on our older maintenance branch of NSD. It includes a fixup of type WKS printing from nsd-xfer, a fixup in a call to getservbyport. There are changes in the getaddrinfo error message and a change to make it fall back to IPv4 if it fails for IPv6. A typecast is added to satisfy the compiler. Furthermore a cleanup of the text for NOTAUTH error code.
NSD project page.

ldns 1.2.0 Release

Wed, Apr 11 2007
We released a new version of ldns. There are a lot of bugfixes, some more examples, and drill has had significant updates.
ldns project page. Direct Download.

Publications

Open Data Analysis to Retrieve Sensitive Information Regarding National-Centric Critical Infrastructures

Mon, 3 Feb 2014
Open Data repositories store a variety of information from country governments and private sectors. A concern is that with publishing data, sensitive information can be obtained by visual analytic techniques. The report shows that it is possible to retrieve precise locations where critical infrastructures overlap.
MSc. report (PDF).

Securing the last mile of DNS with CGA-TSIG

Tue, 8 Jan 2014
TSIG with shared keys is not scalable as a solution for the DNS last mile problem. CGA-TSIG extends TSIG with CGA so that shared secrets are no longer required. This research investigates the CGA-TSIG proposal by doing a security analysis and by making a PoC implementation in ldns.
MSc. report (PDF).

DNSSEC Audit Framework

Mon, 30 Dec 2013
In collaboration with SWITCH, the .CH and .LI registry, we have created a DNSSEC audit framework, that can be used to conduct a review of your or someone else's DNSSEC implementation.
PDF.

NLnet Labs Strategic Plan 2014

Wed, 9 Oct 2013
This is the first time we post this type of plan publicly. With this plan we intend to communicate who we are and where we are going, it serves the NLnet Labs Board and Staff but also the parties that support our mission and want to contribute financially.
Strategic Plan(PDF).

Experiences with MPTCP in an International OpenFlow Network

Tue, 3 Sep 2013
Keeping up with the network demand in order to transfer these data sets over the Internet is a challenge. Single links do not have enough capacity anymore. Therefore we need to install more interfaces in the servers and use all available paths in the network. In this paper we describe two new technologies that help to optimally use the capacity of all multiple paths simultaneously: OpenFlow and Multipath TCP (MPTCP).
TNC2013 paper (PDF).

Discovery and Mapping of the Dutch National Critical IP Infrastructure

Mon, 12 Aug 2013
The research project entails the mapping and subsequent analysis of the AS-level interconnections between the organisations active as the Dutch critical infrastructure. One of the conclusions is that the Dutch critical infrastructure organisations are well interconnected but rely a lot on foreign entities for IP transit and even for carrying potentially sensitive information via web and email services.
MSc. report (PDF).

Identifying Patterns in DNS Traffic

Tue, 9 July 2013
A visual analytics approach is used on a large set of DNS packet captures to gain insight into ways that autho ritative name servers are abused for denial of service attacks. Several tools were developed to identify patterns in DNS queries an d responses.
MSc. report (PDF).

NLnet Labs Annual Report 2012

Mon, 27 May 2013
We are happy to present NLnet Labs Annual report 2012. NLnet Labs is active in those areas where a long-breath can have a profound impact on the Internet societal value and 2012 was an interesting year in all areas on which NLnet Labs is active.
Annual Report 2012 (PDF).

Making do with what we've got: Using PMTUD for a higher DNS responsiveness

Thu, 28 Feb 2013
Exploration of improving DNS with IPv6 by responding to ICMPv6 PTB messages
PDF.

Defending against DNS reflection amplification attacks

Mon, 18 Feb 2013
Measurements and analysis of defense mechanisms against DNS reflection and amplification attacks.
PDF.

RFC6781: DNSSEC Operational Practices, Version 2

Mon, 24 Dec 2012
An updated set of practices for operating the DNS with security extensions (DNSSEC).
RFC6781.

Resilient OpenDNSSEC (MSc. thesis)

Mon, 20 Aug 2012
This thesis analyses error situations in securing DNS zones with OpenDNSSEC. Recommendations are presented to increase the resilience level that OpenDNSSEC can offer against such situations.
PDF.

Discovering Path MTU black holes on the Internet using RIPE Atlas (MSc. thesis)

Mon, 23 July 2012
Measurement and analysis of Path MTU black holes due to ICMP and packet fragment filtering on the Internet.
PDF.

RFC6672: DNAME redirection in the DNS

Mon, 18 June 2012
The DNAME record provides redirection for a subtree of the domain name tree in the DNS.
RFC6672.

RFC6635: RFC Editor Model (2)

Mon, 18 June 2012
This document describes the the RFC Series functions: the RFC Series Editor, the RFC Production Center, and the RFC Publisher.
RFC6635.

RFC 6605: ECDSA for DNSSEC

Mon, 18 June 2012
This document describes how to specify Elliptic Curve Digital Signature Algorithm (DSA) keys and signatures in DNS Security (DNSSEC).
RFC6605.

NLnet Labs Annual Report 2011

Fri, 8 June 2012
We are happy to present NLnet Labs Annual report 2011. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.
Annual Report 2011 (PDF).

Flexible and Robust Key Rollover in DNSSEC

Wed, 28 Mar 2012
Paper describing the OpenDNSSEC Enforcer NG design, presented at SATIN 2012.
PDF.

Authenticated Denial of Existence in the DNS

Mon, 16 Jan 2012
A new version of the paper on denial of existence in the DNS and how the protocol evolved. Version 2.
PDF (external link). Blog article at sidnlabs.nl (Dutch).

Authenticated Denial of Existence in the DNS

Wed, 9 Nov 2011
Paper on denial of existence in the DNS and how the protocol evolved. It answers two simple questions: Why do you need at most two NSEC records in negative responses? And why does NSEC3 requires an extra record?
PDF (external link). Blog article at sidnlabs.nl (Dutch).

Multi-Path Inter-Domain Routing: The Impact on BGP's Scalability, Stability, and Resilience to Link Failures

Wed, 31 Aug 2011
Multi-path routing protocols are proposed to solve transient disconnectivity during convergence time. As their name implies, these protocols are designed to explore more paths than BGP in the attempt to keep the ASes connected in case of link failures. The impact of the multi-path routing protocols on scalability, stability, and resilience to link failures are studied using simulation experiments.
MSc. thesis (PDF).

NLnet Labs Annual Report 2010

Mon, 30 May 2011
We are happy to present NLnet Labs Annual report 2010. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.
Annual Report 2010 (PDF).

Secure Routing: State-of-the-Art Deployment and Impact on Network Resilience

Tue, 28 Sep 2010
This ENISA publication reports on a study by NLnet Labs and GNKS Consult, surveying current state-of-the-art secure routing technologies. Network operators, engineers, and researchers are interviewed on the deployment of secure routing technology, its performance expectations and operating experiences, and future perspectives.
ENISA Secure Routing Report (PDF) (external link).

Impact of Topology on BGP Convergence

Mon, 23 Aug 2010
This MSc. thesis in collaboration with VU University Amsterdam, reports on the study to understand how the underlying topology of the Internet influences BGP performance. A highly scalable simulator is used to simulate full-scale AS-level Internet. We found that BGP is sensitive to certain topological characteristics of the Internet, while remain completely unaffected on variation in some other characteristics.
MSc. thesis (PDF).

NLnet Labs Annual Report 2009

Mon, June 2 2010
We are happy to present NLnet Labs Annual report 2009. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.
Annual Report 2009 (PDF).

NSEC3 Hash Performance

Thu, Mar 18 2010
We have measured the effect of the number of hash iterations in NSEC3 in terms of maximum query load using NSD and Unbound. This document presents the results of these measurements and compares the cost for validating and authoritative name servers and allows for an educated choice for these parameters.
PDF.

Securing DNS: Extending DNS Servers with a DNSSEC Validator

Tue, Oct 27 2009
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a challenge. Published in IEEE Security & Privacy, Sept/Oct. 2009.
Securing DNS (DOI Bookmark).

DNSSEC HOWTO updated

Thu, Jul 4 2009
The DNSSEC HOWTO received its first public update after 2007. Examples have been updated to use recent versions of the software, Unbound configuration has been added, and some new material has been added.
DNSSEC HOWTO (HTML). DNSSEC HOWTO (PDF preferred).

NLnet Labs Annual Report 2008

Mon, June 8 2009
We are happy to present NLnet Labs Annual report 2008. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.
Annual Report 2008 (PDF).

Implementing OpenLISP with LISP+ALT

Tue, April 14 2009
The LISP protocol has been developed to address the growth of the BGP routing table in the DFZ. OpenLISP is an implementation of this protocol, but does not include a location mapping service. This reports describes how a mapping locations service should interact with OpenLISP, GRE and Quagga to use LISP+ALT as a control plane.
OpenLISP report (PDF).

DNSSEC Key Maintenance Analysis

Thu, Oct 23 2008
This document provides recommendations for the generation, storage and use of keys in the context of DNSSEC. It is a followup of NLnet Labs document 2006-SE-01: DNS Threat Analysis, written for .SE.
pdf.

Enforcing Integrity of Agent Migration Paths by Distribution of Trust

Mon, Sep 25 2008
Agent mobility is the ability of an agent to migrate from one location to another across a network. Though conceptually relatively straightforward, in practice security of mobile agents is a challenge. This paper discusses the security issues involved and proposes protocols for secure agent migration. AgentScape, an agent platform for mobile agents, is used to illustrate the feasibility of the implementation of these protocols.
Download article (pdf).

Master Thesis BGP Modeling and Simulation

Mon, Sep 8 2008
In this thesis we present a new approach to BGP simulation. Instead of focussing on intra-domain communication, network and protocol are highly abstracted in order to allow for large-scale simulation. We describe our model of the BGP protocol along with its implementation. Many tracks of future researc are shown as well as many possible uses of this kind of approach to BGP simulation.
Download master thesis (pdf).

Annual Report 2007 released

Fri, Aug 22 2008
We are happy to present NLnet Labs Annual report 2007. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.
Annual Report 2007(pdf).

HSM Tutorial

Tue, May 13 2008
An introduction to the use of HSM.
Download. HTML version.

Design of a Secure and Decentralized Location Service for Agent Platforms

Wed, Sep 19 2007

Formalization and Verification of the Shim6 Protocol

Mon, Jul 16 2007

Annual Report 2006

Tue, May 21 2007

DNS Threat Analysis

Thu, May 3 2007

Annual Report 2005

Tue, Jun 18 2006

Other related news

Wanted: Systems engineer

Mon, 17 Jun 2013
We are looking for a Junior Systems Engineer to provide support, maintain systems and design and implement Open Source Software used in the heart of the Internet.
Employment.

We have a Blog

Fri, 14 Sep 2012
NLnet Labs now maintains a blog. We use it to publish (technical) background informagion about design and the use of our software and other material relevant to the community.
Blog Pages.

Roelof Meijer joins NLnet Labs' board

Thu, 4 June 2012
As of May 31 Roelof Meijer is a member of the NLnet Labs' Board. Roelof is the CEO of SIDN, the Dutch TLD-registry which is one of the major financial contributors of NLnet Labs.
About NLnet Labs.

Unbound/DnssecTrigger workshop at Augsburger Linutage

Fri, 17 Feb 2012
Free Unbound/DNSSEC Trigger workshop at Augsburger Linux Infotage by Carsten Strotmann, 24 March.
Programm.

Collaboration between SIDN and NLnet Labs

Mon, 23 Jan 2012
SIDN, the company behind .nl, today signed a five-year contract with NLnet Labs. NLnet Labs - the Dutch internet technology expertise centre - has a worldwide reputation for its work in the field of DNS and DNSSEC. Through its financial backing for NLnet Labs, SIDN aims to support not only the continued development of DNS applications such as Unbound and NSD, but also NLnet Labs' general internet R&D work, at least for the next five years.
Press Announcement.

Unbound advisory

Mon, 19 Dec 2011
Denial-of-service vulnerabilities
advisory. US-CERT VU#209659. MITRE CVE-2011-4528.

Unbound advisory

Wed, 25 May 2011
Denial-of-service assertion failure
advisory. US-CERT VU#531342. MITRE CVE-2011-1922.

World IPv6 Day event

Thu, 12 May 2011
On Wednesday 8 June 2011, the Dutch World IPv6 Day event will be organised at the Science Park, Amsterdam.
Programme and registration. IPv6 Day logo.

Outage due to rehousing

Wed, 27 Apr 2011
On Thursday 28 April 2011, NLnet Labs will move office and servers to a new location. Thereby all our services will be offline from 09:00am CET till +-12:00am. Our new location is:
Science Park 400
1098XH Amsterdam

HowTo setup DNSSEC validation

Thu, 7 Apr 2011
describes use of unbound with root trust anchor.
HowTo.

Multithreaded signing support for OpenDNSSEC

Mon, 14 Mar 2011
We have changed the design so that RRsets are added to a signing queue, where a pool of signer threads (called drudgers) grab a signing task and perform it. With the SCA6000 HSM we now reach maximum performance, meaning OpenDNSSEC can do a 13.000+ signatures per second. The .se zone can now be signed in 2 minute 50 seconds, of which 1 minute 14 seconds are signing operations.
Read more on the OpenDNSSEC website.

AFNIC offered a yearly Subsidy

Mon, 22 Nov 2010
AFNIC has generously offered a yearly subsidy that aids the NLnet Labs Foundation to accomplish its chartered goals. AFNIC's Head of R&D, Mohsen Souissi: "We want to express support for the open source and open standards work that NLnet Labs is pursuing. By producing stable and high quality DNSSEC-enabled software they are bringing needed code diversity to the DNS industry and lowering the bar for global DNSSEC deployment. The organization deserves our sustained support
More information about contributing to NLnet Labs.

Unbound timeout article

Mon, 8 Nov 2010
There is an article that describes how unbound manages timeouts from remote servers.
Unbound documentation.

Unbound requestlist article

Thursday, 21 Oct 2010
Men&Mice has a nice article describing how the unbound requestlist works.
Article.

Flavors of Unbound

Wed, Jul 28 2010
Men and Mice have published an article on how to select between different flavors of Unbound compilation.
This article will explain the technical differences of the possible flavors of Unbound and will give proposals under which type of DNS workload a specific flavor will perform best.
The article will be kept updated when new versions of unbound are released.



The article can be found here.

DNSSEC Root Key declaration

Wed, Jul 14 2010
On 16 June 2010 around 21:20 UTC Olaf Kolkman witnessed a key generation procedure by which a DNSSEC Key Signing Key for signing the DNS root has been created. The key is known with key-ID 19036.
PGP Signed Declaration containing the DS hash.

Testing Key States of RFC 5011 in Autotrust

Mon, Jul 12 2010
Carsten Rutz of Radboud University investigated the usability of time model-based testing in a case study: Conformance of the implementation Autotrust with RFC 5011. The results are presented in a bachelor thesis.
HTML. PDF.

Stale keys and unbound behaviour

Fri, Feb 12 2010
Statement regarding concerns about stale keys and Unbound behavior
mail.

SURFnet deploys DNSSEC and uses Unbound

Tue, Sep 8 2009
SURFnet announces that all SURFnet DNS (Domain Name System) resolvers now support DNSSEC. SURFnet uses Unbound as its resolver of choice. SURFnet is one of the first networks in the Netherlands to support DNSSEC.
More information.

Innovation vouchers

Mon, Aug 28 2009
For Dutch companies there is, under a program to promote innovation, the possibility to receive a 2.500 Euro subsidy. The NLnet foundation, our mother, has a program that allows furthering of open source software by any Dutch company that is registered with the Chamber of Commerce. It takes 10 minutes to fill in the paperwork and direct those 2.500 Euro toward a good purpose.
NLnet innovation vouchers.

OpenDNSSEC technology preview

Thu, 30 Jul 2009
The OpenDNSSEC project announces the development of Open Source software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security. Visit the OpenDNSSEC website for more information and to download the technology preview.
OpenDNSSEC website.

NLnet Labs is hiring

Sat, Jul 25 2009
We are looking for enthusiastic programmer/developers to complete our 6 persons team. Somebody who will be developing and maintaining open source software and open standards.
More information.

BSD Podcast

Wed, Jul 8 2009
The bsdtalk podcast by Will Backman interviews Wouter Wijngaards about the Unbound resolver.
bsdtalk 176.

NSD Vulnerability Announcement

Mon, May 18 2009
A one-byte buffer overflow has been detected in the NSD software. A fix is ready for download.
More information. Download NSD 3.2.2.

RFI for Unbound Tech Support

Tue, Apr 21 2009
NLnet Labs is seeking information about organizations that would be willing and able to provide first and second line support for Unbound and would like to know more about their ideas on organization and cooperation.
RFI-support.

NLnet Labs joins DNSSEC industry coalition to Increase Adoption of Domain Name Security Extensions (DNSSEC).

Thu, Dec 11 2008
The DNSSEC Industry Coalition is a global group of registries and industry experts whose mission is to work collaboratively to facilitate adoption of Domain Name Security Extensions (DNSSEC) and streamline the implementations across Domain Name Registries. Members work together to establish a consistent set of tools and applications, shared best practices, specifications and shared nomenclature. DNSSEC Industry Coalition members include both generic Top-Level Domain and country code Top-Level Domain registries along with industry and educational experts of the Domain Name System.
Press release. DNSSEC Industry Coalition.

Unbound operation explained in book

Mon, Dec 08 2008
Book "Alternative DNS Servers", also describes Unbound and NSD operation.
More.

Japan Unbound User Group

Thu, Sep 04 2008
The Japan Unbound Users Group has opened its website today, with unbound documentation, support and forum in Japanese.
http://unbound.jp/.

DNS Cache Poisoning Vulnerability

Wed, Jul 19 2008
Statement about US-CERT Vulnerability Note VU#800113 and Unbound
Statement of Unbound Development team. US-CERT Vulnerability Note.

NSD Memory Usage Estimate

Fri, Apr 13 2007
Small web tool added to make a memory size indication given zone specification.
NSD project page. Memory estimate.

NSD Powers Secure64 DNS Solution

Sat, Mar 31 2007
Secure64 is a company specialized in secure and high-performance applications. They have developed SourceT, a micro operating system geared towards secure network systems on Itanium processors. NSD has been ported to SourceT, and is used as the name server software of their Secure64 DNS product, providing RFC-compliant, DNSSEC-enabled, fast DNS services on top of their SourceT operating system. They have performed benchmarks on a Itanium machine with SourceT running NSD, and have been able to handle a query load of over 100,000 queries per second with only 1 CPU. The system was able to sustain DNS service in the face of a variety of common attack profiles until the network link was saturated.
The full test results can be found here. Secure64.

Wed Sep 25 2013

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.