About

Stichting NLnet Labs (NLnet Labs for short) is a not-for-profit foundation founded in 1999 in the Netherlands. Its statutes define its objectives: to develop Open Source software and open standards for the benefit of the Internet.
NLnet Labs' mission is:
To provide globally recognized innovations and expertise for those technologies that turn a network of networks into an Open Internet for All.
» Read more about Labs.

NLnet Labs is a charitable foundation (ANBI) and our main source of income is a subsidy from SIDN and a subsidy from the NLnet Foundation. As we're moving forward and need to ensure our continuity, we welcome your support! In order to develop a sustainable income, we invite you to consider our Support and SLA services, provided by Open Netlabs BV being a 100% subsidiary of NLnet Labs.
» Read more about our funding.

Software updates

DNSSEC trigger 0.14

Tue, 10 Oct 2017
This release fixes install problems on OSX Sierra and High Sierra. The binary packages bundle the just-released unbound 1.6.7 that sends telemetry data about the root trust anchor.
DNSSEC trigger project page. source. install exe. install dmg. Changes.

Unbound 1.6.7 released

Tue, 10 Oct 2017
Unbound 1.6.7 sets the default for trust anchor signaling to yes. This makes a query with the key tags of the validation keys when the trust anchor DNSKEY is retrieved.
Unbound website. Direct Download. Changes.

Unbound 1.6.6 released

Mon, 18 Sep 2017
Unbound 1.6.6 blocks .test and .invalid by default. It has a -p option to suppress pidfile creation (for startup script integration). And more stats and a shared secret cache for dnscrypt. And bug fixes.
Unbound website. Direct Download. Changes.

NSD 4.1.17 released

Fri, 21 Jul 2017
This release has a fix that likely stops zone transfer failures and this release can parse the pre-errata and fixed errata format for deletes in CDS and CDNSKEY records.
NSD project page. Direct Download.

getdns 1.1.0 released

Thu, 13 Apr 2017
Functions for serving DNS. Stubby on board!
Announcement. Direct Download. API specification. Doxygen documentation.

Net::DNS 1.09 released

Fri, 24 Mar 2017

ldns 1.7.0 released

Tue, 20 Dec 2016
Bugfixes and maintenance work, DANE verification delegated to OpenSSL functions, OpenSSL 1.1.0 support
ldns project page. Direct Download. Changes.

DNSSEC trigger 0.13

Thu, 15 Dec 2016
Updated included binaries and installer for OSX.
DNSSEC trigger project page. source. install exe. install dmg. Changes.

Net::DNS::SEC 1.03 released

Fri, 26 Aug 2016

NSD 3.2.22 released

Tue, 14 Jun 2016
Bug fixes accrued before end of support. Note that 3.2.x has end-of-support.
NSD project page. Direct Download.

Publications

NLnet Labs Annual Report 2016

Fri, 30 June 2017
We are happy to present NLnet Labs Annual report 2016. In it we present an overview of Labs' various activities and describe their impact.
Annual Report 2016 (PDF).

A Hybrid System for Automatic Exchanges of Routing Information

Fri, 2 December 2016
The exchange of routing information for BGP configurations is a critical functionality that help autonomous systems communicate with each other in an efficient and robust way. In this work, we propose a hybrid system for automatic exchange of routing information. It addresses security and benefits from using a hybrid model for achieving policy routing information exchange in an efficient way.
MSc. report (PDF).

BGP Route Leaks Analysis

Fri, 6 Mar 2015
A route leak is a violation of the policies between the networks involved. In this project, we obtain routing information from differecent sources and make inferences to detect possible route leaks. These potential route leaks have been further investigated on their duration, the type of violation, and the type and origin of network that caused the leak-detection.
MSc. report (PDF).

BGP Evolution Analysis

Thu, 31 Jul 2014
The Internet has been growing rapidly for many years. A logical consequence of the growth trend is the increase in effort to discover reachability and routing information of all the networks. The project investigates the different components which together form the actual update message signal and tries to find a reason behind the growth factor.
MSc. report (PDF).

Measuring the Deployment of DNSSEC over the Internet

Thu, 2 Jul 2014
The deployment of DNSSEC is measured with the RIPE Atlas infrastructure. The results provide new insight on the distribution of DNSSEC support among resolvers, and notably show that around 90% of resolvers are DNSSEC-aware, and about 30% validate answers.
MSc. report (PDF).

News

Akkerhuis inductee Internet Hall of Fame

Tue, 19 Sep 2017
Jaap Akkerhuis, NLnet Lab's senior research engineer and longtime contributor to the Internet technical community, is inducted into the Internet Hall of Fame. Follow the link below to read more on the background and contributions of Jaap's work in the past 40 year.
Akkerhuis inductee IHoF2017.

Sjoera Nas joined NLnet Labs board

Wed, 13 Sep 2017
Sjoera Nas joined the board of NLnet Labs. She is an Internet and telecom privacy expert affiliated with Autoriteit Persoonsgegevens (Dutch DPA). We are delighted that she joined the board and will contribute with advice and guidance.

DNSSEC training at APTLD 72

Mon, 11 Sep 2017
Berry van Halderen and Jaap Akkerhuis will give a two day DNSSEC course during the APTLD 72 meeting in Tbilisi (Sep 12-13). The course will cover DNS fundamentals, DNSSEC building blocks, policies and hands-on with OpenDNSSEC.
APTLD 72 Agenda.

Recent blog posts

Mon, 15 May 2017 by yuri
Last summer there was a CrypTech workshop in Berlin right before the IETF. I did not attend the workshop personally but a mysterious anodized red box appeared on my desk shortly after. It was the CrypTech Alpha Board, an open source hardware cryptographic engine. At the workshop OpenDNSSEC 1.4 was found to be able to ...
Thu, 22 Dec 2016 by Ralph Dolmans
We noticed a demand from resolver operators to depend DNS answers on the address of the client. The tag functionality introduced in Unbound 1.5.10 and the new views functionality in Unbound 1.6.0 meet these wishes. Tags Unbound’s tags functionality makes it possible to divide client source addresses in categories (tags), and use local-zone and local-data [...]
Tue, 16 Aug 2016 by yuri
“I Can’t Believe It’s Not DNS!” is an authoritative DNS server on ESP8266 written in MicroPython. It has the following anti-features: No storage of zone files, AXFR each boot. DNSSEC filtering. TSIG-less AXFR support! Notify ‘handling’. Highly optimized: no sanity checks. Jumping on the Bandwagon The Espressif ESP8266 is one of the favorite microcontrollers of IoT-Hipsters for some [...]
Thu, 29 Oct 2015 by yuri
Erratum: Unfortunately it appears that this method does not work for OpenDNSSEC 1.4.x. It still works for 1.3.x, specifically 1.3.18 is tested (thanks Michał Kępień!). The current version of OpenDNSSEC is unable to perform an algorithm rollover. Blindly changing the KSK and ZSK algorithm in the kasp.xml will result in a bogus zone. The only option ...

Tue Aug 16 2016

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.