logo Stichting NLnet Labs

Stichting NLnet Labs Annual Report 2001
Office: Kruislaan 419
1098 VA Amsterdam
The Netherlands
e-mail: info@nlnetlabs.nl
web: http://www.nlnetlabs.nl
KvK: Chamber of Commerce Amsterdam, nr 34126276

Annual Report 2001 Stichting NLnet Labs

1. Introduction

NLnet Labs was founded in 1999 by Stichting NLnet to develop, implement, evaluate and promote new protocols and applications for the Internet.

The NLnet Labs offices are located in the Amsterdam Science Park (ASP) where traditionally most Internet development in The Netherlands has taken place. The ASP is still very important for the Internet, as it is the location of the Amsterdam Internet Exchange (AMS-IX), in which vicinity many Internet companies can be found.

2. Activities of Stichting NLnet Labs in 2001

The two areas in which NLnet Labs' staff has invested time and resources are projects and collaboration with other organisations. The 3 elements: staff, projects and collaboration are addressed in this section.

2.1 Staff

The goal of NLnet Labs is to contribute knowledge to the Internet. This can be achieved by software development, but also by educating people to develop software elsewhere. The budget of NLnet labs is based on long term (15 years) development with up to six people. The original goal to increase the number of developers to 4 or 5 (including the director) by the end of 2001, was not reached. The skills needed to work at NLnet Labs are manifold, the choice of candidates was not: the choice was to lower our standards, up the salaries, or postpone hiring for better times. The last option was chosen.

The 4 developers within NLnet Labs in 2001: Alexis Yushin (as of April), Miek Gieben, Stephan Jager, and Ted Lindgreen (director) worked on the projects described in the next section.

2.2 Projects

The three projects on which NLnet Labs focussed are: DNSSEC, IPv6 and NSD.

2.2.1 DNSSEC

The DNSSEC project started in 2000 with an investigation of the scaling issues involved in deploying DNSSEC for large domains. In 2001 the following aspects were addressed: Parent-child communication

NLnet Labs set up an experiment to implement a secure shadow tree of .nl, called .nl.nl. From this experiment we learned that real scaling problems exist with the current proposal for a standard (RFC 2535) with respect to implementing secure parent-child communication procedures.

NLnet Labs proposed an alternative way to deal with the parent-child relation in a draft-RFC (officially: Internet-Draft). Although we recognized that a major change to the standard was more appropriate, we intentionally proposed the smallest possible change in order to not scare people off.

At first, the draft-RFC encountered a lot of scepsis ("It is changing the fundamentals of DNS"), but by the next IETF meeting the problem pointed out by NLnet Labs was broadly recognized. The chair of the dns-ext working group proposed a bolder change, involving the introduction of a new record-type: "DS". Because this change is fundamentally a better one than our lightweight proposal, NLnet Labs dropped its draft-RFC in favour of the DS-proposal.

In the mean time, the general interest in DNSSEC has grown even more, and NLnet Labs is proud that its work has contributed to move DNSSEC out of its earlier deadlock. The sigchase addition to BIND-9

In BIND-8 it was possible to check signatures and chase keys with the "host -s" command. This is a powerful tool for debugging. However, because of a bug in the BIND-8 code the results are sometimes incorrect.

Such a tool is not included in BIND-9, and developers at Nominum have led us to believe that they are not planning on adding such a tool. NLnet Labs, however, believes that such a tool is absolutely necessary.

NLnet Labs has therefore written an extension to BIND-9 with the same functionality as in BIND-8. The main difference is that this code produces correct results in all cases. In addition, the signature checking code is also available in the "dig" tool with the switch "sigchase".

The code was given to both Nominum and ISC, but has not been incorporated into BIND-9 sofar. The Opt-In proposal

During the same period in which the parent-child communication was discussed, also another proposal was made by other parties: "Opt-In". This proposal was pushed by the .com registry (Verisign). In short, it means that, to simplify the introduction of DNSSEC partial security is allowed. Although as of early 2002 there is no consensus whether or not Opt-In is a good idea, it appears that Verisign together with Nominum are working on implementing this option into BIND-9. Freeze of DNSSEC work at NLnet Labs

NLnet Labs has frozen its work on DNSSEC after the RIPE meeting in October 2001 (Prague), for two reasons:

We expect that during the next IETF (the 53rd, in Minneapolis) the DS draft will be advanced. If this indeed is the case, NLnet Labs will revive the .nl.nl experiment and turn it into a real-life experiment shadowing the .nl servers with a secured version of the .nl tree. Once a decision on the Opt-In proposal has been taken (either accepted or rejected), NLnet Labs will once more actively advocate DNSSEC in the ccTLD community. Secure aware resolver

Stephan Jager has written his Masters thesis on the implications of DNSSEC on the resolver. The resolver is the piece of software that translates a user application request for an IP number or domain name into network requests to one or more nameservers, and translates the server answer(s) into an answer to the user application.

A secure aware resolver has the additional task to also verify the server answers.

This work has not lead to a working prototype (which was the original plan for the project), instead it has provided important insight into previously unforeseen complications that a secure aware resolver is faced with.

2.2.2 IPv6

InTouch offered NLnet Labs an IPv6 connection. We accepted the offer, and installed a dedicated system as a gateway between it and our internal network.

The gateway system runs only IPv6, all other systems run both IPv6 and IPv4. IPv6 stateless address autoconfiguration (RFC 2462) is used. DNS has been setup for both forward (with AAAA, not A6) and reverse mapping.

Several applications that support IPv6 have been tested, some of them are used standard over IPv6 instead of IPv4, e.g. ssh both locally and with SIDN.

For 2002 we plan to adapt more applications to support IPv6.

2.2.3 NSD

Currently, all 13 DNS rootservers run BIND-8, but their adminstrators have always tried to use different versions at each rootserver.

BIND-9 in its present state is (much) too slow to be used at rootservers. Measurements show severe packetdrops at rates above 2000 queries per second. The root nameservers currently receive up to 6000 queries per second. The BIND-9 effort, however, has caused most of the work on BIND-8 to be stopped, and therefore all rootservers are now converging to use the same (latest) version of BIND-8.

It is clear that this introduces an extra risk: one bug in this BIND-8 version will affect all rootservers. This problem had been recognized by the maintainers of the rootservers, but became much more urgent, because ICANN was brutely pointed at security issues by the events of the 11th of September.

There are a few alternative DNS implementations, but none of them fullfil the requirements of the rootservers.

RIPE-NCC, as one of the maintainers of a rootserver (the K-rootserver), asked NLnet Labs to write a DNS implementation geared especially to rootservers, but not containing any code of existing implementations.

NLnet Labs has accepted this invitation, and has been working on "nsd", the NLnet Labs DNS server software.

In November 2001, a rough, but working prototype of the server was made available. Since then, this prototype has been refined. An alpha release is planned in Q1 2002 and a beta release in Q2 2002.

2.3 Co-operation with other organisations

NLnet Labs has been co-operating with SIDN and CENTR on DNSSEC since the very start of the project in early 2000. This co-operation will continue in 2002 and likely longer, as long as it takes to implement DNSSEC at TLDs.

NLnet Labs works together with RIPE-NCC on both the DNSSEC and the NSD projects. Within DNSSEC the common interest is the education of DNS administrators (workshops, tutorials). RIPE-NCC tests the prototypes for the NSD project. RIPE-NCC is also writing a reference implementation of the zone compiler in perl. As soon as NSD is considered sufficiently stable it will be run on the K-rootserver, which is maintained by RIPE-NCC. Ted Lindgreen chairs a RIPE working group (the TechSec group).

Furthermore NLnet Labs actively participates in various IETF working groups.

2.4 Plans for 2002

Finding skilled, qualified staff is one of the main concerns for 2002.

The DNSSEC project will be revived and extended. One of the goals is to assist SIDN in implementing DNSSEC in the real .nl tree.

One or more prototypes of secure aware resolvers will be developed. Sofar all, or at least almost all, work on DNSSEC has been done from the system administrator's and/or domain holder's perspective, and was primarily focussed on the nameserver. It is important that more work is done on the resolver side. That leaves one more step in the DNSSEC chain open: how an application can deal with DNSSEC info. There are no plans for this yet.

Various NSD releases will be completed during 2002. The NSD project will need additional support when implemented in real-life. Intelligent selective query answering is currently envisaged as a useful and powerful extension.

IPv6 is an ungoing effort until is is widely implemented.

Depending on the specific skills of new developers we will also start one or more projects in the area of new applications.

2.5 More information

More information on past, current and planned projects can be found at: http://www.nlnetlabs.nl.

3. Organisation

Stichting NLnet Labs was founded on December 28, 1999 by Stichting NLnet. Its Board consists of three members and has remained unchanged in 2001:

name function
Teus Hagen chairman
Frances Brazier secretary
Wytze van der Raay treasurer

Six Board meetings took place in the year 2001:

date place
January 10, 2001 Amerongen
April 4, 2001 Amerongen
May 16, 2001 Amsterdam
August 21, 2001 Amsterdam
October 30, 2001 Amerongen
November 27, 2001 Amsterdam

Ted Lindgreen is the managing director of Stichting NLnet Labs. He continues to be responsible for the daily management of all activities of the Open Source network software development laboratory, including development of strategies and plans for new activities.

Two staff members and one trainee worked for NLnet Labs in 2001:

NLnet Labs rents office space in the Matrix I building in the Amsterdam Science Park in Amsterdam, very close to one of the most important internet interconnection centres in Europe.

4. Finances

Stichting NLnet Labs primarily finances its projects and activities from grants obtained from its parent organisation Stichting NLnet. In addition, income may be obtained by providing Open Source internet based consultancy and/or programming services to third parties, but this was not the case in 2001.

4.1 Fiscal status

Stichting NLnet Labs has been set up as a non-profit organisation, with general benefit objectives. Its request to be classified as an entity with general benefit objectives within the meaning of the Successiewet 1956 (article 24 sub 4) has been granted by the Dutch tax office (department Registratie en Successie) on February 2, 2000. Due to this status, Stichting NLnet Labs can receive grants from Stichting NLnet (with the same general benefit objective classification) without considerable tax consequences.

Because Stichting NLnet Labs may provide consultancy and/or development services based on its Open Source and internet expertise, to commercial third parties, it has also applied for registration as a Value Added Tax-registered entity. This registration has been provisionally provided by the tax inspection on March 15, 2000.

Based on its non-profit status, Stichting NLnet Labs does not expect to become subject to company tax (vennootschapsbelasting in Dutch).

Since Stichting NLnet Labs employs staff, it has been registered for Social Security insurances with GAK Nederland BV, in the sector commercial services II (BV 25).

4.2 Administration

Since January 1, 2000, the books are kept by the treasurer using the Exact Compact for Windows software package. The administration is completely based on the euro rather than the guilder as its base currency, to bypass the need for a large-scale conversion somewhere between now and January 1, 2002. Unfortunately, not all third parties with which Stichting NLnet Labs maintains financial relationships, are equally capable of dealing with the euro (most notably the GAK), therefore small-scale manual currency conversion calculations have been a fact of life during 2000 and 2001. In 2002 the administration will be converted to the Exact Compact 2000 software package.

The salary administration has been contracted out to the Salarisadviesgroep Rayon Centrum of PricewaterhouseCoopers. This group also prepares the salary tax forms.

PricewaterhouseCoopers Accountants has been charged with compiling and auditing Stichting NLnet Labs's Annual Accounts 2001. The accountancy report is a separate document with this Annual Report.

4.3 Income in 2001

At the end of 2000, a budget was drawn up for the expected activities of NLnet Labs during the year 2001, with a total of € 255.800. Based on this a grant was requested from Stichting NLnet for € 255.000 during 2001. Stichting NLnet has allocated these funds for 2001, to be received by NLnet Labs on a quarterly basis, i.e. € 51.000 in the first month of the first two quarters, and € 76.500 in the first month of the last two quarters. In July 2001 it became clear that the level of activities, in particular the size of the employed staff, was falling behind the assumptions made in the initial budget. As a result the grant for the third quarter of 2001 was adjusted downwards to € 51.000, and the grant for the fourth quarter was waived completely. The net result of that is that Stichting NLnet Labs received a total of € 153.000 from Stichting NLnet during 2001.

There were some expectations about income from possible consulting activities in the DNS / DNSSEC area, but these did not materialize in 2001, so no consulting income was obtained.

The only other source of income during 2001 was interest derived from a savings account used to deposit funds temporarily. This amounted to € 2.184.

4.4 Expenditure in 2001

The major expenditure categories of NLnet Labs in 2001 are summarised below (all amounts in EUR):



Staff 145.022 141.758
Housing 16.390 15.041
Depreciation 7.260 3.614
Other costs 24.004 28.653

Total 192.676 189.066

Thus expenditure in 2001 was larger than income; but the negative result of € 37.492 could easily be covered by the financial reserve built up during 2000 (€ 47.408). As a result, the financial reserve at the start of 2002 is € 9.916.

4.5 Budget for 2002

The provisional budget for 2001 as approved by the Board in its meeting on November 27, 2001, is as follows (all amounts in €):




Staff 264.900 135.915
Housing 16.860 16.389
Depreciation 7.803 7.260
Other costs 26.800 24.006

Total 316.363 183.570

Because NLnet Labs' costs are expected to increase gradually over the next year, depending on its success in hiring new staff, four quarterly grants for 2002 have been requested from Stichting NLnet, of respectively € 62.000, € 74.000, € 90.000 and € 90.000, thus for a total of € 316.000. Stichting NLnet has approved these grants in January 2002, with the provision that the grant schedule may be revised if and when signicant changes occur in NLnet Labs' staffing plan or significant income can be generated from e.g. consultancy services.