Archive of old News

bugfix.
Unbound website. Direct Download. Changes.

The first official OpenDNSSEC release is available right now. For downloads and more information about future release plans, visit the OpenDNSSEC website.
OpenDNSSEC website.

This new release has the pyldns contribution by Zdenek Vasicek and Karel Slany imported. Plus bug fixes.
Direct Download. Changes.

This new NSD release comes with some new configure options, DLV record support and some bugfixes.
NSD project page. Direct Download.

bugfix.
Unbound website. Direct Download. Changes.

This new autotrust release offers some new features like syslog and resolver reloading, as well as some bug fixes. Also, the configuration file format has changed, to be more in line with Unbound.
Direct Download. Changelog.

Small bugfix release.
Direct Download. Changes.

RFC5011, RFC5702 features and bugfixes.
Unbound website. Direct Download. Changes.

Enables SHA2 by default. Fixes lots of bugs for OpenDNSSEC and other. ldns-sign-zone will minimally sign the DNSKEY rrset.
Direct Download. Changes.

DNSSEC downgrade bug fixed.
Unbound website. Direct Download. Changes.

Bugfixes.
NSD project page. Direct Download.

Direct Download. Changes.

Bugfixes, minor features.
Unbound website. Direct Download. Changes.

Windows port fixed.
Unbound website. Direct Download. Changes.

Bugfixes.
Unbound website. Direct Download. Changes.

Direct Download. Changes.

Windows port. Python contribution. Bugfixes.
Unbound website. Direct Download. Changes.

Critical bugfix release for NSD.
NSD project page. Direct Download.

Bugfix release for the zone signer in ldns 1.5
ldns project page. Direct Download. Changelog.

Bugfix release, features for smoother operations.
Unbound website. Direct Download. Changes.

New version of ldns
ldns project page. Direct Download. Changelog.

Mainly a bugfix release, but also some new features. Fixes AXFR fallback discussion.
NSD project page. Direct Download. Changelog.

Minor features and important, security related, bugfixes.
Unbound website. Direct Download. Changes.

New version of ldns; A couple of NSEC3 related bugs have fixed, as well some gripes in the build scripts.
ldns project page. Direct Download. Changelog.

bugfixes.
Unbound website. Direct Download. Changes.

DLV support, statistics and lots of other features that have been requested. Also bugfixes.
Unbound website. Direct Download. Changes.

A "feature rich" release. Contains longstanding requests such as SHA support for TSIG and configuration options for setting the outgoing interface. Also AXFR fallback, and IXFR on TCP by default. VERY IMPORTANT: The format of ixfr.db has changed, so be sure to process the old one before updating to 3.2.0.
NSD project page. Direct Download. Changelog.

New version of ldns; some small new and fixed features, and a number of bugs fixed
ldns project page. Direct Download. Changelog.

This release contains filtering fixes to prevent certain types of exploits. Also bugfixes. More discussion in the announcement.
Unbound website. Direct Download. Announcement.

This release contains mainly bugfixes. It also allows you to configure the maximum number of allowed interfaces. If you use it, it can have consequences for your memory usage.
NSD project page. Direct Download. Changelog.

New version of NSD. It supports NSEC3 by default, has a "hide-version" configuration setting, to stop NSD answering from CHAOS class version requests, has bind2nsd 0.5.0, has some bugfixes resolved and reports source and zone for denied AXFR attempts. Some operational notes: the default locations of nsd.db, ixfr.db and xfrd.state are changed to the /var/db/nsd/ directory.
NSD project page. Direct Download. Changelog.

New version of ldns; If Unbound is to be linked against a separate copy of ldns, this version should be used. There are also some notable features, such as HSM support for DNSSEC signing, and nicer output for signature chasing.
ldns project page. Direct Download. Changelog.

The public release of Unbound, a fast recursive validating caching DNS server.

Unbound project page. Press release. Direct download.

Better logging for nsd-notify, Add chkconfig configuration, nsdc bugfixes, strptime fix, more (bugzilla) fixes and logging features.
NSD project page. Direct Download. Changelog.

We released a new version of ldns. There are some bugfixes, an added example tool, and hmac-md5 support for keys.
ldns project page. Direct Download. Changelog.

Fixup of error handling for bad data in IXFRs. Manual page syntax improvements.
NSD project page.

This is a bug-fix release on our older maintenance branch of NSD. It includes a fixup of type WKS printing from nsd-xfer, a fixup in a call to getservbyport. There are changes in the getaddrinfo error message and a change to make it fall back to IPv4 if it fails for IPv6. A typecast is added to satisfy the compiler. Furthermore a cleanup of the text for NOTAUTH error code.
NSD project page.

We released a new version of ldns. There are a lot of bugfixes, some more examples, and drill has had significant updates.
ldns project page. Direct Download.

DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a challenge. Published in IEEE Security & Privacy, Sept/Oct. 2009.
Securing DNS (DOI Bookmark).

The DNSSEC HOWTO received its first public update after 2007. Examples have been updated to use recent versions of the software, Unbound configuration has been added, and some new material has been added.
DNSSEC HOWTO (HTML). DNSSEC HOWTO (PDF preferred).

We are happy to present NLnet Labs Annual report 2008. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.
Annual Report 2008 (PDF).

The LISP protocol has been developed to address the growth of the BGP routing table in the DFZ. OpenLISP is an implementation of this protocol, but does not include a location mapping service. This reports describes how a mapping locations service should interact with OpenLISP, GRE and Quagga to use LISP+ALT as a control plane.
OpenLISP report (PDF).

This document provides recommendations for the generation, storage and use of keys in the context of DNSSEC. It is a followup of NLnet Labs document 2006-SE-01: DNS Threat Analysis, written for .SE.
pdf.

Agent mobility is the ability of an agent to migrate from one location to another across a network. Though conceptually relatively straightforward, in practice security of mobile agents is a challenge. This paper discusses the security issues involved and proposes protocols for secure agent migration. AgentScape, an agent platform for mobile agents, is used to illustrate the feasibility of the implementation of these protocols.
Download article (pdf).

In this thesis we present a new approach to BGP simulation. Instead of focussing on intra-domain communication, network and protocol are highly abstracted in order to allow for large-scale simulation. We describe our model of the BGP protocol along with its implementation. Many tracks of future researc are shown as well as many possible uses of this kind of approach to BGP simulation.
Download master thesis (pdf).

We are happy to present NLnet Labs Annual report 2007. It is intended to present an overview of Labs' various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.
Annual Report 2007(pdf).

An introduction to the use of HSM.
Download. HTML version.

Download.

Download. Abstract.

Download.

Download.

Download.

Statement regarding concerns about stale keys and Unbound behavior
mail.

SURFnet announces that all SURFnet DNS (Domain Name System) resolvers now support DNSSEC. SURFnet uses Unbound as its resolver of choice. SURFnet is one of the first networks in the Netherlands to support DNSSEC.
More information.

For Dutch companies there is, under a program to promote innovation, the possibility to receive a 2.500 Euro subsidy. The NLnet foundation, our mother, has a program that allows furthering of open source software by any Dutch company that is registered with the Chamber of Commerce. It takes 10 minutes to fill in the paperwork and direct those 2.500 Euro toward a good purpose.
NLnet innovation vouchers.

The OpenDNSSEC project announces the development of Open Source software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security. Visit the OpenDNSSEC website for more information and to download the technology preview.
OpenDNSSEC website.

We are looking for enthusiastic programmer/developers to complete our 6 persons team. Somebody who will be developing and maintaining open source software and open standards.
More information.

The bsdtalk podcast by Will Backman interviews Wouter Wijngaards about the Unbound resolver.
bsdtalk 176.

A one-byte buffer overflow has been detected in the NSD software. A fix is ready for download.
More information. Download NSD 3.2.2.

NLnet Labs is seeking information about organizations that would be willing and able to provide first and second line support for Unbound and would like to know more about their ideas on organization and cooperation.
RFI-support.

The DNSSEC Industry Coalition is a global group of registries and industry experts whose mission is to work collaboratively to facilitate adoption of Domain Name Security Extensions (DNSSEC) and streamline the implementations across Domain Name Registries. Members work together to establish a consistent set of tools and applications, shared best practices, specifications and shared nomenclature. DNSSEC Industry Coalition members include both generic Top-Level Domain and country code Top-Level Domain registries along with industry and educational experts of the Domain Name System.
Press release. DNSSEC Industry Coalition.

Book "Alternative DNS Servers", also describes Unbound and NSD operation.
More.

The Japan Unbound Users Group has opened its website today, with unbound documentation, support and forum in Japanese.
http://unbound.jp/.

Statement about US-CERT Vulnerability Note VU#800113 and Unbound
Statement of Unbound Development team. US-CERT Vulnerability Note.

Small web tool added to make a memory size indication given zone specification.
NSD project page. Memory estimate.

Secure64 is a company specialized in secure and high-performance applications. They have developed SourceT, a micro operating system geared towards secure network systems on Itanium processors. NSD has been ported to SourceT, and is used as the name server software of their Secure64 DNS product, providing RFC-compliant, DNSSEC-enabled, fast DNS services on top of their SourceT operating system. They have performed benchmarks on a Itanium machine with SourceT running NSD, and have been able to handle a query load of over 100,000 queries per second with only 1 CPU. The system was able to sustain DNS service in the face of a variety of common attack profiles until the network link was saturated.
The full test results can be found here. Secure64.