logo Stichting NLnet Labs

Stichting NLnet Labs Annual Report 2004
office Kruislaan 419
1098 VA Amsterdam
The Netherlands
email labs@nlnetlabs.nl
web http://www.nlnetlabs.nl
Chamber of Commerce Amsterdam, nr 34126276


Annual Report 2004 Stichting NLnet Labs

1. Introduction

NLnet Labs was founded in 1999 by Stichting NLnet to develop, implement, evaluate and promote new protocols and applications for the Internet.

The NLnet Labs offices are located in the Amsterdam Science Park (ASP) where traditionally most Internet development in The Netherlands has taken place. The ASP is still very important for the Internet, as it is the location of the Amsterdam Internet Exchange (AMS-IX), in which vicinity many Internet companies can be found.

2. Activities of Stichting NLnet Labs in 2004

The goal of NLnet Labs is to contribute knowledge to the Internet. This can be achieved by software development, and also by educating people to develop software elsewhere. NLnet Labs' staff therefore not only focuses on software development defined in projects, but also on collaboration with other organisations. The budget of NLnet Labs is based on long term (15 years) investment for development with a staff of five to six people.

Staff, projects and collaboration are the topics addressed in this section.

2.1 Staff

NLnet Labs employed seven people in 2004: Miek Gieben, Erik Rozendaal, Ronald van der Pol, Martin Pels (from February until July), Jelte Jansen (from March 1), Jaap Akkerhuis (from August 1), and Ted Lindgreen (director) to work on the projects described in the next section.

2.2 The main projects

NLnet Labs focussed in 2004 on DNSSEC, NSD, and the TestLab.

2.2.1 DNSSEC

The DNSSEC project started in 2000 with a study of the scaling issues involved in deploying DNSSEC for large domains. This study proved that DNSSEC scaled better (i.e. less loss of performance) than previously feared by many. This resulted in a renewed interest in DNSSEC.

In 2001 the focus was on deployment at TLDs, and a testbed where DNSSEC was implemented in a secure shadow tree of .nl, called .nl.nl, was set up. This work revealed a new scaling issue, namely with respect to the administration of keys at registries. A new record type "DS" (Delegation Signer) was proposed to solve this issue.

In 2001 also another change to RFC 2535 was proposed: OptIn. This proposal fundamentally changes the way DNSSEC will be used, as it introduces partial security within a zone. This proposal did not meet consensus in the IETF dnsext working group until mid 2003. At the 57th IETF (Vienna, July 13-18,) it became clear that OptIn would become either informational or experimental. It also was clear that there was consensus to standardize the DS proposal and some other minor issues in a new RFC with working title RFC2535bis. The new (proposed) standard was ready in 2004, but it took until Q1 2005 until it was finally published as RFC 4033, 4034 and 4035.

In 2004, NLnet Labs worked mainly on DNSSEC deployment, which is work without much visibility. Part of the work was promoting DNSSEC deployment by actively participating in various fora like IETF, RIPE, ISOC-international, and the DNSSEC deployment group. Most of this work is done by Jaap Akkerhuis. The other part was to build secure aware tools: a demo-resolver (Martin Pels), a DNSSEC debugging tool (Miek Gieben and Jelte Jansen), and a library with various DNSSEC tools (ldns).

The .nl experiment was closed on 28 December 2003, after we concluded that there are no more showstoppers in the proposal for RFC2535bis. After this, it appeared that SIDN had lost interest in further testing DNSSEC deployment. Hopefully this will change in the future.

2.2.2 NSD

NSD is nameserver software aimed at usage on large and/or important authoritative nameservers, such as the root-nameservers and TLDs. The idea to write this software came up at the RIPE 40 meeting in October 2001 in Prague, Czech Republic.

It was observed that all rootservers and most TLDs were converging to use exactly the same software: the latest version of the BIND-8 software. This because the development of BIND-8 has stopped, and both its successor, BIND-9, and all other alternatives are not, or at least not yet, suitable for these nameservers. It was generally felt that all rootservers using the same software was an unacceptable risk.

During 2002, and until April 2003, Alexis Yushin wrote most of the code of the initial versions. From May 2003, Erik Rozendaal took over the development. A rewrite of large portions of the code was needed to implement DNSSEC in a clean way. This rewrite was completed in 2003. In 2004 the new version was released with DNSSEC disabled by default, but it can easily switched on. This default is to be changed as soon as DNSSECbis is published as (proposed) standard (Q1 2005). NSD runs on two rootnameservers, a few percent of all TLD servers, and various other nameservers.

2.2.3 IPv6

Ronald van der Pol is co-author of RFC 3750 (Unmanaged Networks IPv6 Transition Scenarios) and RFC 3904 (Evaluation of IPv6 Transition Mechanisms for Unmanaged Networks), which were published in 2004 by the IETF v6ops working group.

Little progress was made on other IPv6 projects.

2.3 TestLab

In 2003 we installed the RIPE-NCC "DISTEL" testlab at NLnet Labs. This testlab was designed by Daniel Karrenberg. The current TestLab consists of 3 Athlon and one alpha system. They are connected both on a private network and on the Labs-LAN.

It was planned to have repository of traces from various root- and TLD-nameservers, and to conduct test on a regular basis as to obtain and publish progress of the use of IPv6, EDNS0, DNSSEC, and other developments. To obtain and maintain the repository of traces, cöoperation was sought with RIPE, SIDN, and ISC. However, despite multiple efforts, we have not yet succeeded in receiving traces on a regular basis.

2.4 Collaboration with other organisations

NLnet Labs has been co-operating with SIDN and CENTR on DNSSEC since the very start of the project in early 2000. However, after the (successful) completion of implementing DNSSEC on a shadow registry for .nl, it seems that SIDN has lost interest in both development and further co-operation with NLnet Labs.

NLnet Labs still works together with RIPE-NCC on the Testlab, the DNSSEC and the NSD projects.

Ted Lindgreen chairs the TechSec RIPE working group and Jaap Akkerhuis is one of the chairs of the RIPE DNS working group.

On invitation of ISOC and RIPE, Jaap Akkerhuis has participated in offering a training for managers and administrators of the new, and fastgrowing ccTLDs. The course took place in Thailand, but the effort has lead to setting up ISOC-trainings on a regular basis.

In 2002 NLnet Labs started collaboration with NLnet's IIDS Research Group at the VU. This collaboration did not work out as hoped and expected, and was put on hold mid-2004. We hope to revive this collaboration in 2005 again.

Furthermore NLnet Labs actively participates in the following IETF working groups:

And in the following RIPE working groups:

2.5 Plans for 2005

2.5.1 DNSSEC

In 2005 NLnet Labs will continue to focus on getting DNSSEC implemented. As the (new) standard has now been published, most of the work will be producing and testing resolver and the signing procedures, including administration and debugging tools. These tools will be built around the ldns library.

Miek Gieben and Jelte Jansen will be doing most of this work, so no extra manpower is needed.

2.5.2 NSD

NSD has matured, so little new development is needed. There will be some development on tools outside the NSD-core, like AXFR and IXFR support, but most of the work will be maintenance.

2.5.3 TestLab

Setting up a traces repository and doing tests on a regular basis is still aimed for. However, this depends on the availability of traces.

2.5.4 HIP

The Host Identity Protocol architecture introduces a new layer between the "Transport" and "Internetworking" layer. HIP provides a method of separating the end-point identifier and locator roles of IP addresses. It introduces a new Host Identity (HI) name space, based on public keys, that function as the end-points of sockets. When a host moves from one network to another e.g. as a multi-homing node, or a mobile node, sockets will remain bound to the HI but the binding between the HI and the transport layer will need to be dynamically updated. The HIP architecture provides methods to do this securely.

The idea to work on HIP is from Olaf Kolkman, who will start working for NLnet Labs in September 2005. It is planned that Olaf takes over the management of Labs in January 2006. Olaf proposes that NLnet Labs does a pilot study to:

2.6 Software testing for other NLnet projects

On request of the the NLnet foundation, NLnet Labs will test released and pre-released software from other NLnet projects, provided, that NLnet Labs has the necessary skills and knowledge in house. It is expected that the necessary manpower can be scheduled on an ad-hoc basis.

2.7 Workshops, presentations and publications

The following workshops, presentations and/or publications were given/produced by NLnet Labs in 2004:

Work in progress:

2.8 More information

More information on past, current and planned projects can be found at:


3. Organisation

Stichting NLnet Labs was founded on December 28, 1999 by Stichting NLnet. Its Board consists of three members and has remained unchanged in 2004:

name function end of term

Teus Hagen chairman December 28, 2005

Frances Brazier secretary December 28, 2005

Wytze van der Raay treasurer December 28, 2005

Six Board meetings took place in the year 2004:

date place

January 14, 2004 Amerongen

March 10, 2004 Amsterdam

May 13, 2004 Amsterdam

August 18, 2004 Amsterdam

October 7, 2004 Amsterdam

December 7, 2004 Amsterdam

Ted Lindgreen is the managing director of Stichting NLnet Labs. He continues to be responsible for the daily management of all activities of the Open Source network software development laboratory, including development of strategies and plans for new activities.

Six staff members worked for NLnet Labs in 2004:

NLnet Labs rents office space in the Matrix I building in the Amsterdam Science Park in Amsterdam, very close to one of the most important internet interconnection centres in Europe.

4. Finances

Stichting NLnet Labs primarily finances its projects and activities from grants obtained from its parent organisation Stichting NLnet. In addition, income may be obtained by providing Open Source internet based consultancy and/or programming services to third parties. A contract for consultancy at SIDN, the Dutch top-level domain registry, was a source of additional income in 2004 in the latter category.

4.1 Fiscal status

Stichting NLnet Labs has been set up as a non-profit organisation, with general benefit objectives. Its request to be classified as an entity with general benefit objectives within the meaning of the Successiewet 1956 (article 24 sub 4) has been granted by the Dutch tax office (department Registratie en Successie) on February 2, 2000. Due to this status, Stichting NLnet Labs can receive grants from Stichting NLnet (with the same general benefit objective classification) without considerable tax consequences.

Because Stichting NLnet Labs may provide consultancy and/or development services based on its Open Source and internet expertise, to commercial third parties, it has also applied for registration as a Value Added Tax-registered entity. This registration has been provisionally provided by the tax inspection on March 15, 2000.

Based on its non-profit status, Stichting NLnet Labs does not expect to become subject to company tax (vennootschapsbelasting in Dutch).

Since Stichting NLnet Labs employs staff, it has been registered for Social Security insurances with UWV GAK, in the sector commercial services II (BV 25).

4.2 Administration

The books of Stichting NLnet Labs are kept by the treasurer.

The salary administration has been contracted out to the Financial Management Solutions group of PricewaterhouseCoopers in Rotterdam. This group also prepares the salary tax forms.

PricewaterhouseCoopers Accountants has been charged with compiling and auditing Stichting NLnet Labs's Annual Accounts 2004. The accountancy report is a separate document with this Annual Report.

4.11 Income in 2004

At the start of 2004, a budget was drawn up for the expected staffing level and activities of NLnet Labs during the year 2004, with a total of EUR 299.340. This budget excluded the cost for a possible expansion of the staff in the course of 2004 with one to two persons. Based on this budget and the expected consultancy income, a grant was requested from Stichting NLnet for EUR 274.000 during 2004, with the option to request an additional grant if the desirable staff expansion could be effectuated. Stichting NLnet allocated these funds for 2004, to be received by NLnet Labs on a quarterly basis, EUR 68.500 per quarter.

Based on the successful staff expansion realised by employing Jelte Jansen en Jaap Akkerhuis in the course of 2004, an additional grant of EUR 66.000 was requested from Stichting NLnet in August 2004, and this was granted in September 2004.

The net result of that is that Stichting NLnet Labs received a total of EUR 340.000 from Stichting NLnet during 2004.

Also, a new consultancy contract with SIDN over the period September through December 2004, brought in some additional income of EUR 14.000, but this was less than budgeted.

The only other source of income during 2003 was interest derived from a savings account used to deposit funds temporarily. This amounted to EUR 1.442.

Summarizing the 2004 income:

2004 2003

actual actual

Donations general 340.000 325.000
Donations for Fonkey - 35.000
Donations for A-A-P project - 49.409
Donations for Atom-Based Routing project - 50.051
Consultancy income 14.000 41.648
Interest income 1.442 1.555

Total 355.442 502.664

4.4 Expenditure in 2004

The major expenditure categories of NLnet Labs in 2004 are summarised below:

2004 2003

actual actual

Staff 310.039 364.002
Atom-Based Routing project - 50.051
Housing 22.799 20.616
Depreciation 7.184 5.067
Other costs 34.055 36.454

Total 374.077 476.190

Thus total income in 2004 was somewhat less than expenditure; the negative result of EUR 18.635 has been taken out of the the financial reserve. As a result, the financial reserve at the start of 2005 is EUR 36.099.

4.5 Budget for 2005

The provisional budget for 2005 as approved by the Board in its meeting on December 7, 2004, is as follows:

2005 2004

budget actual

Staff 412.800 310.039
Housing 23.400 22.799
Depreciation 6.840 7.184
Other costs 36.960 34.055

Total 480.000 374.077

The 2005 budget looks considerably bigger than the realisation for 2004, in particular the staff budget. There are two reasons for this:

Since NLnet Labs expects to receive some income from consulting activities, the projected deficit for 2005 comes down to EUR 447.000. A request for four quarterly grants of EUR 111.750, thus for a total of EUR 447.000 in 2005, has been submitted to Stichting NLnet. Stichting NLnet has approved these grants on January 27, 2005.