NLnet Labs - Annual Report 2005

Olaf M. Kolkman*, NLnet Labs
Chamber of Commerce Amsterdam, nr 34126276

NLnet Labs document 2006-003
June 12, 2006


1 Introduction

NLnet Labs was founded in 1999 by Stichting NLnet to develop, implement, evaluate and promote new protocols and applications for the Internet.

The NLnet Labs offices are located in the Amsterdam Science Park (ASP) where traditionally most Internet development in The Netherlands has taken place. The ASP is still very important for the Internet, as it is the location of the Amsterdam Internet Exchange (AMS-IX), in which vicinity many Internet companies can be found.

The goal of NLnet Labs is to contribute knowledge to the Internet. This can be achieved by software development, and also by educating people to develop software elsewhere. NLnet Labs’ staff therefore not only focuses on software development defined in projects, but also on collaboration with other organizations. The budget of NLnet Labs is based on long term (15 years) investment for development with a staff of five to six people.

2 NLnet Labs Activities

NLnet Labs tries to maintain focus on the development area between theory building and early productizing and deployment; the area where engineering and standardization processes take place. Within that context NLnet Labs has gained expertise in the area of DNS and DNSSEC and tries to expand and apply that expertise.

In 2005 we mainly continued to work on existing projects. In this section we provide further detail about our activities and point out how we plan to continue in 2006.

2.1 Main Projects


DNSSEC development and deployment remains one of the main focal points for NLnet Labs. We have continued to evangineer the technology and tried to lead by example.

In March 2005 the DNSSEC-bis [132] specification was published. We continued our work in the field of deployment engineering. Gieben and Kolkman published new versions of an IETF document that provides operational guidelines for deployment of DNSSEC [6] this document is expected to be published as informational RFC in 2006.

Akkerhuis and Kolkman actively participated in the DNSSEC deployment group that is ’hosted’ by Shinkuro and funded by the Department of Homeland Security. That group strives to coordinate global DNSSEC deployment efforts.

As part of a collaboration with the RIPE NCC Kolkman worked on a project to measure the effect of DNSSEC deployment on authoritative servers. More about this below. He also continues to edit the DNSSEC HOWTO[8].


Names Server Daemon (NSD) is a high performance reference implementation of an authoritative only DNS nameserver.

Release 2.2.0, published in January 2005, contained AXFR zone transfer support and release 2.3.0, published in May came with DNSSEC enabled by default.

In the mean time Rozendaal prototyped new features for the version 3 branch. Development of the version 3 branch has been taken over by Wijngaards. The version 3 branch is expected to be released mid 2006. This branch will have an architecture that has a more stable method for inter-process communication, and allows for incremental zone updates.

As continuous automatic testing is part of the design strategy, the unit and regression tests are being expanded as part of the version 3 developments.

We continued to provide “community support” on NSD. In addition to the continuation of “community support” we plan to introduce support contracts for NSD with the release of NSD3 in 2006.

Although version 1 is still supported NSD version 1 has not seen any releases in 2005.


LDNS is a DNS function library intended for rapid development of DNS related programs. Its functions are inspired by those in Net::DNS, a perl library often used for writing DNS related scripts and tools, also maintained at NLnet Labs.

The goal of ldns is to simplify DNS programming, it supports recent RFCs like the DNSSEC documents, and allows developers to easily create software conforming to current RFCs, and experimental software for current Internet drafts. A secondary benefit of using ldns is speed. Tools written with ldns will be a lot faster than counterparts developed on the basis of the Net::DNS perl library. The first tool for which ldns was used is drill.

drill  is a command line DNS query tool with functionality similar to tools like dig and nslookup.

The new version of drill  is included in the ldns release and will not be developed separately anymore. The library also includes some other examples and tools to show how it can be used.

These example programs are:

ldns-chaos Prints some information about the nameserver.
ldns-key2ds Creates a DS record from a DNSKEY record
ldns-keygen Generate private/pubkey key pair for DNSSEC.
ldns-mx Explained in the tutorial. Prints the mx records for a domain.
ldns-readzone Reads a zone file and prints it with 1 RR per line.
ldns-signzone Signs a zone file according to DNSSECbis.
ldns-update UPDATE examples.

LDNS has been developed by Jansen and Gieben. LDNS 1.0.0 was released October 20, 2005. Version 1.0.1 was released January 5, 2006. LDNS will be actively maintained.

Distel TestLab

We continued to maintain and improve the DISTEL testlab, initially conceived and designed by Daniel Karrenberg in 2003. As part of an RIPE NCC project, that was later continued at NLnet Labs, Kolkman measured what the impact would be on the root-server and one of the other authoritative nameservers that the RIPE NCC operates, when DNSSEC is turned on [7].

We offer the Distel testlab and personnel support to third parties that have interesting projects or measurements. For instance, in 2005 we started a project to use the testlab to perform experiments on zone signing for the .CA top level domain registry.

The tools developed to analyze the content of the captured traces were initially prototyped in Perl by van der Pol, extended by Kolkman and have recently been rewritten in C, using the ldns library, by Jansen.

The testlab remains a key component for running regression and performance tests for NSD.


Our IPv6 activities were mostly performed by van der Pol who left NLnet Labs in the first quarter of 2005. A small trial to build a cheap IPv6 enabled wireless router, by installing Linux based firmware on ASUS WL500-g hardware was started by van der Pol and successfully concluded by Lindgreen but no further IPv6 related activities were deployed.

2.2 Minor Projects

Net::DNS and Net::DNS::SEC

The maintenance responsibility for the Perl libraries Net::DNS and Net::DNS::SEC[9] were taken up when Kolkman joined the organization. Both libraries had a number of maintenance releases in 2005.

The DNSSEC Howto

Kolkman is the maintainer for the DNSSEC HOWTO[8]. There have not been new releases in 2005. A new release is expected in 2006.


The Host Identity Protocol (HIP) was identified as a possible work item for 2005. Due to staff and priority changes no progress was made on this subject.

The identifier locator split, such as in HIP, is one of the possible solutions for IPv6 multi homing. In the IETF work is continuing on “shim6” that applies “HIP” technology as a remedy to exploding routing tables. For 2006 we plan, given appropriate staffing levels, to study, and possible participate in, the so called shim6 developments.

BSD ports

Akkerhuis provided a port of drill  0.9.2 to the FreeBSD ports collection. The port for “nsd” is maintained by a third party.


Our collaboration with the IIDS group at the Vrije Universiteit on Fonkey has continued. Focus was on implementation and experimental analysis. After Rozendaal left this work has mostly been done by IIDS. A joint publication can be expected in 2006.

2.3 Contacts with Other Organizations


As of April 2005, Akkerhuis is a paid consultant to ICANN, for 5 days per month.

NLnet Labs has provided some unpaid consultancy related to DNS and DNSSEC deployment to the RIPE NCC and the .CA registry.

Participation and collaborations

Akkerhuis is a member of ICANN’s security and stability advisory committee SSAC[11]. He is also a member of the ENISA Permanent Stakeholders’ Group (PSG)[5].

He provided an introduction during a security workshop at the request of Sentinels, a research program for ICT security, financed by the Dutch ministry of Economic affairs, NWO and STW[10].

During 2005 Akkerhuis participated in a number of meetings that focused on Internet government and the WSIS process; these included the RIPE NCC round table meetings and preparatory meetings with the Dutch department for Economic Affairs. He also participated in the European Committee’s Security Workshop High Level Internet Group on request of the department of Economic Affairs.

Kolkman has been active as co-chair of IETF’s DNS extensions (DNSEXT) working group. Furthermore NLnet Labs staff has actively participated in the DNSOP and ENUM working groups, both in email discussions and during meetings.

Akkerhuis and Kolkman are active participants in the DNSSEC Deployment working group[4]. They also represent NLnet on the ISOC Advisory Council on which NLnet has a seat based on its professional membership since mid 2005.

NLnet Labs staff has participated in joint workshops with the “Intelligent Interactive Distributed Systems group” at the Vrije Universiteit in Amsterdam, the Domain name debate 2006 and various ad-hoc meetings.

NLnet Labs staff is active in the IETF, at RIPE meetings and is present at NLUUG conferences.

2.4 Publications and Presentations


3 Organisation

Stichting NLnet Labs was founded on December 28, 1999 by Stichting NLnet. Its Board consists of three members. On the 28th of December 2005 the terms of all board members expired. They were reappointed with staggered terms in order to provide some continuity after possible board changes in the future.



appointed until

Teus Hagen


December 28, 2006

Frances Brazier


December 28, 2008

Wytze van der Raay


December 28, 2007

Five Board meetings took place in the year 2005:



February 9, 2005


April 6, 2005


June 15, 2005


September 29, 2005


November 22, 2005



NLnet Labs employed seven people in 2005. Miek Gieben, Erik Rozendaal (up to September 30, 2005), Ronald van der Pol (up to March 31, 2005), Jelte Jansen, Jaap Akkerhuis, Olaf Kolkman (as of September 1) and Ted Lindgreen (director, up to December 31, 2005).

Wouter Wijngaards joined labs as a programmer in January 1, 2006.

The director of Stichting NLnet Labs is responsible for the daily management of all activities of the Open Source network software development laboratory, including development of strategies and plans for new activities.

Lindgreen left NLnet Labs to take a position as adviser with Stichting NLnet. Kolkman was hired to fill the director position as of January 1, 2006. Lindgreen spend considerable time on knowledge transfer.

The foundation acknowledges the vision and efforts of Lindgreen to establish and build the NLnet Labs organization. He left behind a healthy and inspiring environment.

Organizational Challenges

NLnet Labs is a small organisation with specific expertise bound to specific personnel. Shared and focused knowledge and expertise is an important aspect to guarantee a constant and long term commitment with respect to the maintenance of our software products. On the other hand we want to create a flexible environment where innovation is possible and side-tracks with possible dead ends can be explored. Such short term projects are usually tied to specific personnel. Because of this, priority shifts or personnel changes tend to have big impacts on the continuity of these short term projects.

Our priority has been and will remain with the commitment to support our published software.

‘House Style’

In October we introduced a new logo for NLnet Labs. We opted for a text only logo composed of the NLnet Labs name on a background of a binary numbers. The green “NLnet” is a reference to Stichting NLnet. The binary background intents to associate with the world of software, networks and computers.

The logo has been kept simple and to the point.

Together with the logo we are slowly introducing a uniform presentation format of NLnet Labs website, paper publications and slide ware.


4 Finances

Stichting NLnet Labs primarily finances its projects and activities from grants obtained from its parent organisation Stichting NLnet. In addition, income may be obtained by providing Open Source Internet based consultancy and/or programming services to third parties. Consultancy contracts with SIDN, the Dutch top-level domain registry, and ICANN, the Internet Corporation For Assigned Names and Numbers, were sources of additional income in 2005 in the latter category.

4.1 Fiscal status

Stichting NLnet Labs has been set up as a non-profit organisation, with general benefit objectives. Its request to be classified as an entity with general benefit objectives within the meaning of the Successiewet 1956 (article 24 sub 4) has been granted by the Dutch tax office (department Registratie en Successie) on February 2, 2000. Due to this status, Stichting NLnet Labs can receive grants from Stichting NLnet (with the same general benefit objective classification) without considerable tax consequences.

Because Stichting NLnet Labs may provide consultancy and/or development services based on its Open Source and Internet expertise, to commercial third parties, it has also applied for registration as a Value Added Tax-registered entity. This registration has been provisionally provided by the tax inspection on March 15, 2000.

Based on its non-profit status, Stichting NLnet Labs does not expect to become subject to company tax (vennootschapsbelasting in Dutch).

Since Stichting NLnet Labs employs staff, it has been registered for Social Security insurances with UWV, in the sector commercial services II (BV 25).

4.2 Administration

The books of Stichting NLnet Labs are kept by the treasurer.

The salary administration has been contracted out to the Financial Management Solutions group of PricewaterhouseCoopers in Rotterdam. This group also prepares the salary tax forms.

PricewaterhouseCoopers Accountants has been charged with compiling and auditing Stichting NLnet Labs’s Annual Accounts 2005. The accountancy report is a separate document with this Annual Report.

4.3 Income in 2005

At the end of 2004, a budget was drawn up for the expected staffing level and activities of NLnet Labs during the year 2005, with a total of 480.000. This budget included an explicit provision for transferring the director’s responsibilities to the new director during 6 months in 2005.

Based on this budget and the expected consultancy income, a grant was requested from Stichting NLnet for 447.000 during 2005. Stichting NLnet allocated these funds for 2005, to be received by NLnet Labs on a quarterly basis, 111.750 per quarter. Due to vacancies and a shorter transitioning period to the new director, the subsidy requested for the fourth quarter was reduced to 50.000.

The net result of that is that Stichting NLnet Labs received a total of 385.250 from Stichting NLnet during 2005.

The consultancy contract with SIDN ended at the end of March 2005, but a new consultancy contract with ICANN starting in April 2005 brought in more income than expected in the budget. The total income from consultancy in 2005 came to 46.500.

The only other source of income during 2005 was interest derived from a savings account used to deposit funds temporarily. This amounted to 3.151.





Donations general



Consultancy income



Net interest income



total income



4.4 Expenditure in 2005

The major expenditure categories of NLnet Labs in 2005 are summarized below:














Other costs



Total expenditure



Over 2005 NLnet Labs had a positive result of 35.267

As a result, the financial reserve at the start of 2006 is 71.366.

4.5 Budget for 2006

The provisional budget for 2006 as approved by the Board in its meeting on February 1, 2006 is as follows:














Other costs





The 2006 budget is somewhat bigger than the realisation for 2005, in particular because NLnet Labs expect to fill its two vacancies shortly.

Since NLnet Labs expects to receive about 40.000 from consulting activities, the projected deficit for 2006 comes down to 420.000. A request for four quarterly grants of 105.000, thus for a total of 420.000 in 2006, has been submitted to Stichting NLnet. Stichting NLnet has approved these grants on January 30, 2006.


[1]    R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. RFC 4033 (Proposed Standard), March 2005.

[2]    R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS Security Extensions. RFC 4035 (Proposed Standard), March 2005.

[3]    R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. RFC 4034 (Proposed Standard), March 2005.

[4]    DNSSEC Deployment Initiative. DNSSEC Deployment web pages.

[5]    European Network and Information Security Agency. Enisa web pages.

[6]    O. Kolkman and R. Gieben. DNSSEC Operational Practices <draft-ietf-dnsop-dnssec-operational-practices-06.txt>, September 2005., (DNSOP WG Internet draft, drafts are subject to change and have a limited lifetime.).

[7]    Olaf Kolkman. Measuring the resource requirements of DNSSEC. RIPE NCC web pages.

[8]    Olaf Kolkman. DNSSEC HOWTO, April 2005.

[9]    Net::DNS and Net::DNS::SEC web page.

[10]    Sentinels web page, security dag 20050929.

[11]    ICANN’s Security and Stability Advisory Committee (SSAC). SSAC Web Pages.

Thu June 12 2006 © NLnet Labs
Kruislaan 419, 1098 VA Amsterdam, The Netherlands