Where Did My Packet Go? Measuring the Impact of RPKI ROV
Research

Where Did My Packet Go? Measuring the Impact of RPKI ROV

Merely doing RPKI ROV does not provide any guarantees where your packet ends up. We conducted an experiment where we look into the impact of RPKI ROV on whether the packet ends up in the intended location based on active beaconing with two servers.
7 min read
Journeying into XDP: XDPerimenting with DNS telemetry
Research

Journeying into XDP: XDPerimenting with DNS telemetry

By Luuk Hendriks The XDP programs we’ve so far described in this series have been actively modifying DNS packets to perform functions such as response rate limiting (RRL), cookies and padding. This time, we’ll look into a passive BPF-program which enables us to plot graphs of DNS metrics
9 min read
🛠 A confidence building toolbox
Newsletter

🛠 A confidence building toolbox

Nobody likes pushing the "Go" button to deploy and just hope things will be okay. 🤞 In this newsletter we'll cover some of the recent additions to our software aimed at giving you more operational confidence... 💬 In this issue: * Zone Verification in NSD. Prevent zones with errors in the DNSSEC signed
4 min read
A little extra explanation is always helpf
DNS

Extended DNS Error support for Unbound

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914. While EDE was already supported in NSD since version 4.3.6 released in April of 2021, as with most things in a resolver, EDE support took more time to implement. As a short
3 min read
Spring in Amsterdam
Newsletter Featured

The NLnet Labs Newsletter – Spring 2022

Welcome to our first newsletter, providing you with an update on what we've been doing over the last few months and what's coming up from your favourite open-source development crew below sea level. 👷‍♀️ In this edition: both our software development and Internet Governance activities get reinforced with new staff, the
7 min read
Journeying into XDP: Fully-fledged DNS service augmentation
Research

Journeying into XDP: Fully-fledged DNS service augmentation

By Willem Toorop In our previous post on using eXpress Data Path (XDP) for DNS, we discussed how a new XDP rate-limiting queries feature can augment a DNS service running in user space (with common DNS software) to deal with denial of service (DoS) attacks. Journeying into XDP: Part 0Network
16 min read
How To Run Krill Behind an NGINX Reverse Proxy
RPKI

How To Run Krill Behind an NGINX Reverse Proxy

Although Krill has a built-in HTTPS server, it may be desirable to run a production grade webserver as a reverse proxy in front of Krill. This allows easy TLS configuration and additional restrictions, if desired.
6 min read
Why Routinator Doesn’t Fall Back to Rsync
RPKI

Why Routinator Doesn’t Fall Back to Rsync

When creating software, we carefully weigh each design decision: security, resiliency, usability and many more factors play a role in the end result. This article explores the reasoning behind a behaviour that isn't specified in an RFC but which has significant impact on operators deploying RPKI.
6 min read
DNS-over-HTTPS in Unbound
DNS

DNS-over-HTTPS in Unbound

A major step forward in end user privacy.
5 min read