We are happy to present NLnet Labs Annual report 2006. It is intended to present an overview of Labs’ various activities to those who support NLnet Labs ﬁnancially, through grants or support contracts, and for those who have shown a general interest in our activities.
The ﬁrst half of this document presents an overview of our activities while the second half presents details about the organizational and ﬁnancial aspects of the foundation.
The Internet’s strength is that it allows people to connect and communicate with all others on the Internet without, in theory, the need for special provisions elsewhere than at the end-nodes. This allows people to publish, provide services, to purchase, read, and consume in a global and truly free manner. In our view the success of the Internet is coupled to the success of open source and open standards development. The TCP/IP stack, web browsers, scripting languages, popular databases, core infrastructure, popular operating systems have all been at the foundation of the net’s success and the net has been a driver for the proliferation of all these tools.
NLnet Labs is a research and development group that focuses on those developments in Internet technology where bridges between theory and practical deployment need to be build; areas where engineering and standardization takes place.
It is our goal to play an active and relevant role in these areas through the development of open source software, through participating in development of open standards, and through the dissemination of knowledge.
Within that context NLnet Labs has become a recognized expertise centre in the area of DNS and DNSSEC. Our software has found its way to important components of the Internet infrastructure and we contribute actively in multiple facets of the standards development process. Dissemination of knowledge is done through education and collaboration.
NLnet Labs was founded in 1999 by Stichting NLnet. The budget of NLnet Labs is based on long term investment for development with a staff of ﬁve to six people and mainly provided through a subsidy by the Stichting NLnet.
The NLnet Labs offices are located in the Amsterdam Science Park (ASP).
In 2006 we mainly continued to work on existing projects. We managed to achieve progress on all planned activities and below we provide further detail about the individual activities. Additionally, we point out how we plan to continue in 2007.
DNSSEC development and deployment remains one of the main focal points for NLnet Labs. We have continued to evangineer the technology and tried to lead by example.
Gieben and Kolkman ﬁnalized their work on an informational RFC  that provides operational guidelines for deployment of DNSSEC.
Akkerhuis and Kolkman actively participated in the DNSSEC deployment group that is ’hosted’ by Shinkuro and funded by the US Department of Homeland Security. That group strives to coordinate global DNSSEC deployment efforts.
Kolkman gave various presentations on DNSSEC. In January he acted as instructor at a DNSSEC workshop at the Internet2 Joint Techs meeting in Albuquerque, New Mexico. In December he participated, as an instructor, in a tutorial workshop for country code TLD administrators at the InterLab training facilities in Thailand. He also continued to edit the DNSSEC HOWTO of which an updated version, published in 2007, was used during the Thai workshop.
The NLnet Labs Name Server Daemon (NSD) is an authoritative RFC compliant DNS nameserver. It was ﬁrst conceived to allow for more genetic diversity for DNS server implementations used by the root-server system and it has been developed for operations in environments where speed, reliability, stability, and security are of high importance. NSD is currently used on some root servers such as the “I” and “K” root-servers and is also in use by several top-level domain registries.
Wijngaards took a lead in developing version 3 of our authoritative nameserver. This version is based on an architecture with a more stable method for inter-process communication, and allows for incremental zone updates. The latter feature makes NSD more suitable as a server of dynamically changing zones.
NSD 3.0.0 was released in September 2006 and has seen 3 additional bug ﬁx releases in the remainder of 2006. During the development and test a number of bugs were discovered that stemmed from the version 2 branch and for which the ﬁxes were back-ported. NSD version 2 saw a total number of 3 bug ﬁx releases.
NSD reaches its performance because it loads all its data in a pre-compiled wire format in memory in a Red Black Tree. When a query comes in, the Red Black Tree is searched and a comprehensive set of pointers is followed to collect all the data that is needed to construct the answer packets.
Schematic of one of NSD’s internal data structure
One of the main differences between NSD2 and NSD3 is the establishment of socket based inter process communication. This allows for efficient and protocol conformant handling of zone transfers and also provide hooks for future work on allowing certain work to be done by low priority processes.
NSD is supported via “community support” through our ’bugzilla’ interface and via our e-mail interface. We recognized that in some corporate environments this commitment to community support is not sufficient and that support needs to be codiﬁed. We therefore offer paid support contracts that come in 3 varieties.
More information on NSD support contracts can be found at http://www.nlnetlabs.nl/nsd/support.html.
LDNS is a DNS function library for C intended for rapid development of DNS related programs. Its functions are inspired by those in Net::DNS, a Perl library often used for writing DNS related scripts and tools, also maintained at NLnet Labs.
The goal of ldns is to simplify DNS programming, it supports recent RFCs like the DNSSEC documents, and allows developers to easily create software conforming to current RFCs, and experimental software for current Internet drafts. A secondary beneﬁt of using ldns is speed. Tools written with ldns will be a lot faster than counterparts developed on the basis of the Net::DNS Perl library. The ﬁrst tool for which ldns was used is drill.
drill is a command line DNS query tool with functionality similar to tools like dig and nslookup.
The new version of drill is included in the ldns release and will not be developed separately anymore. The library also includes a number of examples that are intended to provide sufficient starting points for those who want to start building their own DNS tools.
Prints some information about the nameserver.
Creates a DS record from a DNSKEY record
Generate private/public key pair for DNSSEC.
Prints the mx records for a domain.
Reads a zone ﬁle and prints it with 1 RR per line.
Signs a zone ﬁle according to DNSSECbis.
A DNS Packet Analyzer tool.
A very, very simple nameserver implementation.
Split zones for parallel signing.
Cat split zones back together.
Fetches DNSKEY records with a few (non-strong, non-DNSSEC) anti-spooﬁng techniques.
’Walks’ a DNSSEC signed zone.
July 2006 ldns version 1.1.0 was released. This version came with improved documentation, a number of code improvements, and new example code.
LDNS has made its way in several distributions such as the FreeBSD ports and Mac OS X darwinports
We continued to maintain and improve the DISTEL test lab, initially conceived and designed by Daniel Karrenberg in 2003. The test lab remains a key component for running regression and performance tests for NSD.
To improve the speed and maintainability most of the regression test code was rewritten from Perl to C using the ldns library.
The maintenance responsibility for the Perl libraries Net::DNS and Net::DNS::SEC is a task that NLnet Labs picked up in 2005. In 2006 Net::DNS saw four and Net::DNS::SEC saw one maintenance release. Net::DNS and Net::DNS::SEC are published through CPAN and via the http://www.net-dns.org website.
An initial idea to study Net::DNS for Perl6 has not been pursued.
The DNSSEC Howto is maintained at NLnet Labs. In 2006 the DNSSEC Howto was updated and a pre-release was exposed to the participants of a DNSSEC workshop in November 2006, this version was published in January 2007.
Matthijs Mekking joined NLnet Labs from the Radboud University in Nijmegen to work on shim6.
The shim6 protocol speciﬁes a layer 3 shim approach and protocol for providing locator agility below the transport protocols, so that multi homing can be provided for IPv6 with failover and load spreading properties, without assuming that a multi-homed site will have a provider independent IPv6 address preﬁx which is announced in the global IPv6 routing table. The hosts in a site which has multiple provider allocated IPv6 address preﬁxes, will use the shim6 protocol to setup state with peer hosts, so that the state can later be used to fail-over to a different locator pair, should the original one stop working (from ).
Under the mentorship of Wijngaards, Mekking worked on formal analysis of the shim6 protocol using the UPPAAL protocol veriﬁcation tool and implemented packet parsing for shim6 in Wireshark. He is expected to complete his work in the spring of 2007.
We have installed an Asterisk server and registered with an external SIP provider. The reason for that is twofold, getting hands on experience with the technology and offering cheap and ﬂexible telephony to our staff members. We have found the conﬁguration unstable at times.
We have been tracking the developments concerning ENUM. On national level we have supported the initiative by SIDN to host the tier 1 ENUM service in the Netherlands. Within IETF context we have contributed through co-authorship on a draft called “The Uniform Resource Identiﬁer (URI) DNS Resource Record” (see section 2.6). The idea posted therein does not satisfy infrastructure ENUM requirements and will not be pursued.
During 2006 Akkerhuis was as a paid consultant to ICANN, for 5 days per month.
Besides, NLnet Labs was paid for providing an advisory for SIDN, the Dutch top-level DNS registry: “Strategische overwegingen met betrekking tot DNS en Nameservers” (Strategic concerns related to DNS and nameservers).
Akkerhuis is a member of ICANN’s security and stability advisory committee SSAC. He is also a member of the ENISA Permanent Stakeholders’ Group (PSG).
In July 2006 Akkerhuis became, on behalf of ICANN, a member of the ISO 3166 Maintenance Agency — ISO’s focal point for country codes.
During 2006 Akkerhuis participated in a number of meetings that focused on Internet governance, these included the RIPE NCC round table meetings.
As part of the development of the NSEC3 speciﬁcation NLnet Labs participated in two workshops where interoperability of implementation and the speciﬁcation itself was tested and discussed. NLnet Labs brought two independent implementations of (parts of) the NSEC3 speciﬁcation in the form of a zone signer, the drill tool (both based on the LDNS library), and a version of NSD3. The workshops took place at the DENIC offices in Frankfurt, Germany in May and at the Verisign’s Offices in Dulles, VA in September.
Kolkman joined the Internet Architecture Board in March 2006 and has been active as co-chair of IETF’s DNS extensions (DNSEXT) working group. Furthermore NLnet Labs staff has actively participated in the DNSOP and ENUM working groups, both in email discussions and during meetings.
Akkerhuis and Kolkman are active participants in the DNSSEC Deployment working group. They also represent NLnet on the ISOC Advisory Council on which NLnet has a seat based on its professional membership since mid 2005.
NLnet Labs staff continued to participate in various ad-hoc meetings such as the Domain name debate 2006; a series of meetings on “Hereiking ICT beleid”; the IPv6 Task Force meetings; ISOC.NL ENUM groups; and a meeting with SIDN, Ministry of Economic Affairs and GS1 on bar-codes and the DNS.
NLnet Labs staff is active in the IETF, at RIPE meetings and is present at SANE and NLUUG conferences.
NLnet Labs was proud to receive the ISOC.nl 2006 award for its work on DNS security. A quote from the Jury report follows.
It is our intention to remain a recognized expertise centrum for DNS and DNSSEC by active development and maintenance of nameserver software such as LDNS, and NSD. A new activity is the development of a DNSSEC secured caching nameserver called Unbound. This piece of software will be one of the more prominent projects for 2007. The product will be a C-implementation, build from scratch but based on a prototype build by David Blacka from Verisign. The project is a collaboration with Verisign and Nominet.
NLnet Labs is planning to continue to play an active role in the IETF standards process, in Internet governance and occasionally provides advice to (semi-) governmental institutions.
In addition to the continuation of these activities we are trying to broaden our understanding of agents and distributed systems. This activity does not have a deﬁned outcome but is intended to explore and possibly deﬁne new topics where NLnet Labs can play a role in engineering and standardization.
Besides, Kolkman presented “DNSMON” on behalf of the RIPE NCC during the ICANN ISOC joint ccTLD tutorial, Soﬁa, Bulgaria, October 2006. http://www.isoc.org/educpillar/cctld/docs/dnsmon-cctld-200610.pdf
Stichting NLnet Labs was founded on December 28, 1999 by Stichting NLnet. Its Board consists of three members with staggered terms. In conjunction with the NLnet reorganisation described elsewhere in this report, Teus Hagen left the NLnet Labs board at the end of 2006 after serving for seven years as its chairman. The board thanks him for his relentless efforts in the past years. Leo Willems will be serving as chairman starting 30 January 2007.
December 28, 2006
December 28, 2008
Wytze van der Raay
December 28, 2007
5 Board meetings took place in the year 2006:
February 1, 2006
April 7, 2006
June 21, 2006
September 7, 2006
December 1, 2006
Olaf Kolkman and Ted Lindgreen participate in the board meetings in their roles of Director of Labs and advisor to NLnet respectively.
NLnet Labs employed six people in 2006: Miek Gieben (up to 30 June 2006), Jelte Jansen, Jaap Akkerhuis, Olaf Kolkman (director), Wouter Wijngaards, Mark Santcroos (as of 1 December 2006). 16 October 2006 Matthijs Mekking started his internship on SHIM6.
The director of Stichting NLnet Labs is responsible for the daily management of all activities of the Open Source network software development laboratory, including development of strategies and plans for new activities.
During 2006 a reorganisation of the NLnet Foundation was started after a recommendation by its Advisory board.
In order to achieve a more transparent relation between the NLnet foundation and NLnet Labs, it was decided that NLnet board members or employees and people dependent on NLnet funding should not serve anymore in the board of NLnet Labs. For this reason Teus Hagen has not renewed his term as a board member and Frances Brazier will leave the board during 2007. Wytze van der Raay will continue as NLnet Labs board member while he is retiring completely from NLnet in 2007.
Also the formal dependencies in the bylaws of NLnet Labs, such as control of NLnet over changes to the bylaws, have been removed.
To formalize the long term commitment of NLnet towards NLnet labs, the ﬁnancial relation will be codiﬁed in a subsidy contract with a 5 year notice period. This allows NLnet Labs to commit to long term efforts and support.
The preparatory work related to this restructuring took place in 2006 and will be completed in 2007.
During 2006, ASP terminated the housing contract unilaterally in order to increase their prices. After giving the matter careful thought the contract was renewed and NLnet Labs rented extra space in order to move our equipment and create sufficient ﬂexibility to house a six person staff and possible visitors or students.
Stichting NLnet Labs primarily ﬁnances its projects and activities from grants obtained from its parent organisation Stichting NLnet. In addition, income may be obtained by providing Open Source Internet based consultancy and/or programming services to third parties. Consultancy contracts with SIDN, the Dutch top-level domain registry, and ICANN, the Internet Corporation For Assigned Names and Numbers, and a number of NSD support contracts were sources of additional income in 2006 in the latter category.
Stichting NLnet Labs has been set up as a non-proﬁt organisation, with general beneﬁt objectives. Its request to be classiﬁed as an entity with general beneﬁt objectives within the meaning of the Successiewet 1956 (article 24 sub 4) has been granted by the Dutch tax office (department Registratie en Successie) on February 2, 2000. Due to this status, Stichting NLnet Labs can receive grants from Stichting NLnet (with the same general beneﬁt objective classiﬁcation) without considerable tax consequences.
Because Stichting NLnet Labs may provide consultancy and/or development services based on its Open Source and Internet expertise, to commercial third parties, it has also applied for registration as a Value Added Tax-registered entity. This registration has been provisionally provided by the tax inspection on March 15, 2000.
Based on its non-proﬁt status, Stichting NLnet Labs does not expect to become subject to company tax (vennootschapsbelasting in Dutch).
Since Stichting NLnet Labs employs staff, it has been registered for Social Security insurances with UWV, in the sector commercial services II (BV 25).
During the formalisation of the ﬁnancial relation between NLnet Labs and NLnet mentioned above, ﬁscal specialists reviewed how NLnet Labs has traditionally dealt with VAT deduction and advised to correct an error in Lab’s earlier interpretation of the VAT deduction rules. This has resulted in a one-time corrective charge for unjustiﬁed VAT deduction of € 32.865.
The books of Stichting NLnet Labs are kept by the treasurer of the board.
The salary administration has been contracted out to the Financial Management Solutions group of PricewaterhouseCoopers in Rotterdam. This group also prepares the salary tax forms.
PricewaterhouseCoopers Accountants has been charged with compiling and auditing Stichting NLnet Labs’ Annual Accounts 2006. The accountancy report is a separate document with this Annual Report.
At the end of 2005, a budget was drawn up for the expected staffing level and activities of NLnet Labs during the year 2006, with a total of € 461.000.
Based on this budget and the expected consultancy income, a grant was requested from Stichting NLnet for € 420.000 during 2006. Stichting NLnet allocated these funds for 2006, to be received by NLnet Labs on a quarterly basis, € 105.000 per quarter. Due to vacancies, the subsidy requested for the fourth quarter was reduced by € 75.000.
The net result of that is that Stichting NLnet Labs received a total of € 345.000 from Stichting NLnet during 2006.
The consultancy contract with ICANN from April 2005 was continued, in addition to that contract NLnet Labs provided advisories to SIDN the Dutch top-level Domain registries. In addition NLnet Labs started offering support contracts for NSD. These developments caused more income than expected from the budget. The total income from consultancy and NSD support in 2006 came to € 59.492
The only other signiﬁcant source of income during 2006 was interest derived from a savings account used to deposit funds temporarily. This amounted to € 3.538.
The major expenditure categories of NLnet Labs in 2006 are summarized below:
Over 2006 NLnet Labs had a negative result of € 6.752
As a result, the ﬁnancial reserve at the start of 2007 is € 64.614.
The provisional budget for 2007 is as follows:
The 2007 budget is signiﬁcantly larger than the realisation for 2006, in particular because NLnet Labs will be fully staffed in the cause of 2007 and since it rents more space for slightly higher unit prices.
Since, in addition to interest, NLnet Labs expects to receive about EUR 40.000 from consulting activities, and € 52.500 from NSD support contracts, the projected deﬁcit for 2007 comes down to EUR 441.248. A request for four quarterly grants of € 110.250, thus for a total of € 441.000 in 2007, has been submitted to Stichting NLnet. Stichting NLnet has approved these grants on January 30, 2007.
 M. Bagnulo E. Nordmark. Level 3 multihoming shim protocol, Novembery 2006. http://tools.ietf.org/html/draft-ietf-shim6-proto-07, (Internet Drafts are subject to change and have a limited lifetime; this draft has expired).