Stichting NLnet Labs, Annual Report 2006

Olaf M. Kolkman*, NLnet Labs
Chamber of Commerce Amsterdam, nr 34126276

NLnet Labs document 2007-001
21 May 2007



1 NLnet Labs
2 NLnet Labs Activities
 2.1 Main Projects
 2.2 Minor Projects
 2.3 Contacts with Other Organizations
 2.4 Honors
 2.5 Outlook for 2007
 2.6 Publications and Presentations
3 Organisation
4 Finances
 4.1 Fiscal status
 4.2 Administration
 4.3 Income in 2006
 4.4 Expenditure in 2006
 4.5 Budget for 2007

We are happy to present NLnet Labs Annual report 2006. It is intended to present an overview of Labs’ various activities to those who support NLnet Labs financially, through grants or support contracts, and for those who have shown a general interest in our activities.

The first half of this document presents an overview of our activities while the second half presents details about the organizational and financial aspects of the foundation.

1 NLnet Labs

The Internet’s strength is that it allows people to connect and communicate with all others on the Internet without, in theory, the need for special provisions elsewhere than at the end-nodes. This allows people to publish, provide services, to purchase, read, and consume in a global and truly free manner. In our view the success of the Internet is coupled to the success of open source and open standards development. The TCP/IP stack, web browsers, scripting languages, popular databases, core infrastructure, popular operating systems have all been at the foundation of the net’s success and the net has been a driver for the proliferation of all these tools.

NLnet Labs is a research and development group that focuses on those developments in Internet technology where bridges between theory and practical deployment need to be build; areas where engineering and standardization takes place.

It is our goal to play an active and relevant role in these areas through the development of open source software, through participating in development of open standards, and through the dissemination of knowledge.

Within that context NLnet Labs has become a recognized expertise centre in the area of DNS and DNSSEC. Our software has found its way to important components of the Internet infrastructure and we contribute actively in multiple facets of the standards development process. Dissemination of knowledge is done through education and collaboration.

NLnet Labs was founded in 1999 by Stichting NLnet. The budget of NLnet Labs is based on long term investment for development with a staff of five to six people and mainly provided through a subsidy by the Stichting NLnet.

The NLnet Labs offices are located in the Amsterdam Science Park (ASP).

2 NLnet Labs Activities

In 2006 we mainly continued to work on existing projects. We managed to achieve progress on all planned activities and below we provide further detail about the individual activities. Additionally, we point out how we plan to continue in 2007.

2.1 Main Projects


DNSSEC development and deployment remains one of the main focal points for NLnet Labs. We have continued to evangineer the technology and tried to lead by example.

Gieben and Kolkman finalized their work on an informational RFC [4] that provides operational guidelines for deployment of DNSSEC.

Akkerhuis and Kolkman actively participated in the DNSSEC deployment group that is ’hosted’ by Shinkuro and funded by the US Department of Homeland Security. That group strives to coordinate global DNSSEC deployment efforts.

Kolkman gave various presentations on DNSSEC. In January he acted as instructor at a DNSSEC workshop at the Internet2 Joint Techs meeting in Albuquerque, New Mexico. In December he participated, as an instructor, in a tutorial workshop for country code TLD administrators at the InterLab training facilities in Thailand. He also continued to edit the DNSSEC HOWTO[5] of which an updated version, published in 2007, was used during the Thai workshop.


The NLnet Labs Name Server Daemon (NSD) is an authoritative RFC compliant DNS nameserver. It was first conceived to allow for more genetic diversity for DNS server implementations used by the root-server system and it has been developed for operations in environments where speed, reliability, stability, and security are of high importance. NSD is currently used on some root servers such as the “I” and “K” root-servers and is also in use by several top-level domain registries.

Wijngaards took a lead in developing version 3 of our authoritative nameserver. This version is based on an architecture with a more stable method for inter-process communication, and allows for incremental zone updates. The latter feature makes NSD more suitable as a server of dynamically changing zones.

NSD 3.0.0 was released in September 2006 and has seen 3 additional bug fix releases in the remainder of 2006. During the development and test a number of bugs were discovered that stemmed from the version 2 branch and for which the fixes were back-ported. NSD version 2 saw a total number of 3 bug fix releases.

NSD reaches its performance because it loads all its data in a pre-compiled wire format in memory in a Red Black Tree. When a query comes in, the Red Black Tree is searched and a comprehensive set of pointers is followed to collect all the data that is needed to construct the answer packets.


Schematic of one of NSD’s internal data structure

One of the main differences between NSD2 and NSD3 is the establishment of socket based inter process communication. This allows for efficient and protocol conformant handling of zone transfers and also provide hooks for future work on allowing certain work to be done by low priority processes.

NSD is supported via “community support” through our ’bugzilla’ interface and via our e-mail interface. We recognized that in some corporate environments this commitment to community support is not sufficient and that support needs to be codified. We therefore offer paid support contracts that come in 3 varieties.

More information on NSD support contracts can be found at


LDNS is a DNS function library for C intended for rapid development of DNS related programs. Its functions are inspired by those in Net::DNS, a Perl library often used for writing DNS related scripts and tools, also maintained at NLnet Labs.

The goal of ldns is to simplify DNS programming, it supports recent RFCs like the DNSSEC documents, and allows developers to easily create software conforming to current RFCs, and experimental software for current Internet drafts. A secondary benefit of using ldns is speed. Tools written with ldns will be a lot faster than counterparts developed on the basis of the Net::DNS Perl library. The first tool for which ldns was used is drill.

drill  is a command line DNS query tool with functionality similar to tools like dig and nslookup.

The new version of drill  is included in the ldns release and will not be developed separately anymore. The library also includes a number of examples that are intended to provide sufficient starting points for those who want to start building their own DNS tools.


Prints some information about the nameserver.


Creates a DS record from a DNSKEY record


Generate private/public key pair for DNSSEC.


Prints the mx records for a domain.


Reads a zone file and prints it with 1 RR per line.


Signs a zone file according to DNSSECbis.


UPDATE examples.


A DNS Packet Analyzer tool.


A very, very simple nameserver implementation.


Split zones for parallel signing.


Cat split zones back together.


Fetches DNSKEY records with a few (non-strong, non-DNSSEC) anti-spoofing techniques.


’Walks’ a DNSSEC signed zone.

July 2006 ldns version 1.1.0 was released. This version came with improved documentation, a number of code improvements, and new example code.

LDNS has made its way in several distributions such as the FreeBSD ports and Mac OS X darwinports

Distel Test Lab

We continued to maintain and improve the DISTEL test lab, initially conceived and designed by Daniel Karrenberg in 2003. The test lab remains a key component for running regression and performance tests for NSD.

To improve the speed and maintainability most of the regression test code was rewritten from Perl to C using the ldns library.

2.2 Minor Projects

Net::DNS and Net::DNS::SEC

The maintenance responsibility for the Perl libraries Net::DNS and Net::DNS::SEC[6] is a task that NLnet Labs picked up in 2005. In 2006 Net::DNS saw four and Net::DNS::SEC saw one maintenance release. Net::DNS and Net::DNS::SEC are published through CPAN and via the website.

An initial idea to study Net::DNS for Perl6 has not been pursued.

The DNSSEC Howto

The DNSSEC Howto[5] is maintained at NLnet Labs. In 2006 the DNSSEC Howto was updated and a pre-release was exposed to the participants of a DNSSEC workshop in November 2006, this version was published in January 2007.


Matthijs Mekking joined NLnet Labs from the Radboud University in Nijmegen to work on shim6.

The shim6 protocol specifies a layer 3 shim approach and protocol for providing locator agility below the transport protocols, so that multi homing can be provided for IPv6 with failover and load spreading properties, without assuming that a multi-homed site will have a provider independent IPv6 address prefix which is announced in the global IPv6 routing table. The hosts in a site which has multiple provider allocated IPv6 address prefixes, will use the shim6 protocol to setup state with peer hosts, so that the state can later be used to fail-over to a different locator pair, should the original one stop working (from [2]).

Under the mentorship of Wijngaards, Mekking worked on formal analysis of the shim6 protocol using the UPPAAL protocol verification tool[8] and implemented packet parsing for shim6 in Wireshark[9]. He is expected to complete his work in the spring of 2007.


We have installed an Asterisk server and registered with an external SIP provider. The reason for that is twofold, getting hands on experience with the technology and offering cheap and flexible telephony to our staff members. We have found the configuration unstable at times.


We have been tracking the developments concerning ENUM. On national level we have supported the initiative by SIDN to host the tier 1 ENUM service in the Netherlands. Within IETF context we have contributed through co-authorship on a draft called “The Uniform Resource Identifier (URI) DNS Resource Record” (see section 2.6). The idea posted therein does not satisfy infrastructure ENUM requirements and will not be pursued.

2.3 Contacts with Other Organizations


During 2006 Akkerhuis was as a paid consultant to ICANN, for 5 days per month.

Besides, NLnet Labs was paid for providing an advisory for SIDN, the Dutch top-level DNS registry: “Strategische overwegingen met betrekking tot DNS en Nameservers” (Strategic concerns related to DNS and nameservers).

Participation and collaborations

Akkerhuis is a member of ICANN’s security and stability advisory committee SSAC[7]. He is also a member of the ENISA Permanent Stakeholders’ Group (PSG)[3].

In July 2006 Akkerhuis became, on behalf of ICANN, a member of the ISO 3166 Maintenance Agency — ISO’s focal point for country codes.

During 2006 Akkerhuis participated in a number of meetings that focused on Internet governance, these included the RIPE NCC round table meetings.

As part of the development of the NSEC3 specification NLnet Labs participated in two workshops where interoperability of implementation and the specification itself was tested and discussed. NLnet Labs brought two independent implementations of (parts of) the NSEC3 specification in the form of a zone signer, the drill tool (both based on the LDNS library), and a version of NSD3. The workshops took place at the DENIC offices in Frankfurt, Germany in May and at the Verisign’s Offices in Dulles, VA in September.

Kolkman joined the Internet Architecture Board in March 2006 and has been active as co-chair of IETF’s DNS extensions (DNSEXT) working group. Furthermore NLnet Labs staff has actively participated in the DNSOP and ENUM working groups, both in email discussions and during meetings.

Akkerhuis and Kolkman are active participants in the DNSSEC Deployment working group[1]. They also represent NLnet on the ISOC Advisory Council on which NLnet has a seat based on its professional membership since mid 2005.

NLnet Labs staff continued to participate in various ad-hoc meetings such as the Domain name debate 2006; a series of meetings on “Hereiking ICT beleid”; the IPv6 Task Force meetings; ISOC.NL ENUM groups; and a meeting with SIDN, Ministry of Economic Affairs and GS1 on bar-codes and the DNS.

NLnet Labs staff is active in the IETF, at RIPE meetings and is present at SANE and NLUUG conferences.

2.4 Honors

NLnet Labs was proud to receive the 2006 award for its work on DNS security. A quote from the Jury report follows.

  Al vanaf 1990 was bekend dat het domeinnaamsysteem van het internet

  technisch gezien erg kwetsbaar was. De DNS wordt door iedereen op het

  Internet gebruikt omdat het de link is tussen de namen die we typen

  (zoals en de eigenlijke nummers die computers gebruiken om

  elkaar te vinden. Het originele DNS protocol dateert van 1983 en is

  niet beveiligd. Vanaf 1995 begon het werk aan een veiliger variant,

  maar dat vlotte maar langzaam omdat er vooralsnog weinig commercieel

  nut uit betere DNS-protocollen te halen viel. Vanuit Nederland is

  disproportioneel veel geinvesteerd om dit cruciale onderdeel van

  internet te moderniseren, enkel voor het algemeen belang. Mede dankzij

  pionierswerk vanuit Nederland werd ingezien dat er een herziening

  nodig was van eerdere op tafel liggende DNSSEC protocol, en vervolgens

  werd actief binnen de internetstandaardenorganisatie IETF bijgedragen

  aan de succesvolle ontwikkeling en het testen hiervan. De jury heeft

  veel waardering voor de ’niet praten maar doen’-mentaliteit die de

  drijfveer is achter de winnaar van de tweede ISOC-award van dit jaar

  in de categorie privacy en veiligheid, en dat is natuurlijk NLnet   Labs.

2.5 Outlook for 2007

It is our intention to remain a recognized expertise centrum for DNS and DNSSEC by active development and maintenance of nameserver software such as LDNS, and NSD. A new activity is the development of a DNSSEC secured caching nameserver called Unbound. This piece of software will be one of the more prominent projects for 2007. The product will be a C-implementation, build from scratch but based on a prototype build by David Blacka from Verisign. The project is a collaboration with Verisign and Nominet.

NLnet Labs is planning to continue to play an active role in the IETF standards process, in Internet governance and occasionally provides advice to (semi-) governmental institutions.

In addition to the continuation of these activities we are trying to broaden our understanding of agents and distributed systems. This activity does not have a defined outcome but is intended to explore and possibly define new topics where NLnet Labs can play a role in engineering and standardization.

2.6 Publications and Presentations


3 Organisation

Stichting NLnet Labs was founded on December 28, 1999 by Stichting NLnet. Its Board consists of three members with staggered terms. In conjunction with the NLnet reorganisation described elsewhere in this report, Teus Hagen left the NLnet Labs board at the end of 2006 after serving for seven years as its chairman. The board thanks him for his relentless efforts in the past years. Leo Willems will be serving as chairman starting 30 January 2007.



appointed until

Teus Hagen


December 28, 2006

Frances Brazier


December 28, 2008

Wytze van der Raay


December 28, 2007

5 Board meetings took place in the year 2006:



February 1, 2006


April 7, 2006


June 21, 2006


September 7, 2006


December 1, 2006


Olaf Kolkman and Ted Lindgreen participate in the board meetings in their roles of Director of Labs and advisor to NLnet respectively.


NLnet Labs employed six people in 2006: Miek Gieben (up to 30 June 2006), Jelte Jansen, Jaap Akkerhuis, Olaf Kolkman (director), Wouter Wijngaards, Mark Santcroos (as of 1 December 2006). 16 October 2006 Matthijs Mekking started his internship on SHIM6.

The director of Stichting NLnet Labs is responsible for the daily management of all activities of the Open Source network software development laboratory, including development of strategies and plans for new activities.

Organisational Challenges

During 2006 a reorganisation of the NLnet Foundation was started after a recommendation by its Advisory board.

In order to achieve a more transparent relation between the NLnet foundation and NLnet Labs, it was decided that NLnet board members or employees and people dependent on NLnet funding should not serve anymore in the board of NLnet Labs. For this reason Teus Hagen has not renewed his term as a board member and Frances Brazier will leave the board during 2007. Wytze van der Raay will continue as NLnet Labs board member while he is retiring completely from NLnet in 2007.

Also the formal dependencies in the bylaws of NLnet Labs, such as control of NLnet over changes to the bylaws, have been removed.

To formalize the long term commitment of NLnet towards NLnet labs, the financial relation will be codified in a subsidy contract with a 5 year notice period. This allows NLnet Labs to commit to long term efforts and support.

The preparatory work related to this restructuring took place in 2006 and will be completed in 2007.


During 2006, ASP terminated the housing contract unilaterally in order to increase their prices. After giving the matter careful thought the contract was renewed and NLnet Labs rented extra space in order to move our equipment and create sufficient flexibility to house a six person staff and possible visitors or students.

4 Finances

Stichting NLnet Labs primarily finances its projects and activities from grants obtained from its parent organisation Stichting NLnet. In addition, income may be obtained by providing Open Source Internet based consultancy and/or programming services to third parties. Consultancy contracts with SIDN, the Dutch top-level domain registry, and ICANN, the Internet Corporation For Assigned Names and Numbers, and a number of NSD support contracts were sources of additional income in 2006 in the latter category.

4.1 Fiscal status

Stichting NLnet Labs has been set up as a non-profit organisation, with general benefit objectives. Its request to be classified as an entity with general benefit objectives within the meaning of the Successiewet 1956 (article 24 sub 4) has been granted by the Dutch tax office (department Registratie en Successie) on February 2, 2000. Due to this status, Stichting NLnet Labs can receive grants from Stichting NLnet (with the same general benefit objective classification) without considerable tax consequences.

Because Stichting NLnet Labs may provide consultancy and/or development services based on its Open Source and Internet expertise, to commercial third parties, it has also applied for registration as a Value Added Tax-registered entity. This registration has been provisionally provided by the tax inspection on March 15, 2000.

Based on its non-profit status, Stichting NLnet Labs does not expect to become subject to company tax (vennootschapsbelasting in Dutch).

Since Stichting NLnet Labs employs staff, it has been registered for Social Security insurances with UWV, in the sector commercial services II (BV 25).

During the formalisation of the financial relation between NLnet Labs and NLnet mentioned above, fiscal specialists reviewed how NLnet Labs has traditionally dealt with VAT deduction and advised to correct an error in Lab’s earlier interpretation of the VAT deduction rules. This has resulted in a one-time corrective charge for unjustified VAT deduction of  32.865.

4.2 Administration

The books of Stichting NLnet Labs are kept by the treasurer of the board.

The salary administration has been contracted out to the Financial Management Solutions group of PricewaterhouseCoopers in Rotterdam. This group also prepares the salary tax forms.

PricewaterhouseCoopers Accountants has been charged with compiling and auditing Stichting NLnet Labs’ Annual Accounts 2006. The accountancy report is a separate document with this Annual Report.

4.3 Income in 2006

At the end of 2005, a budget was drawn up for the expected staffing level and activities of NLnet Labs during the year 2006, with a total of  461.000.

Based on this budget and the expected consultancy income, a grant was requested from Stichting NLnet for  420.000 during 2006. Stichting NLnet allocated these funds for 2006, to be received by NLnet Labs on a quarterly basis,  105.000 per quarter. Due to vacancies, the subsidy requested for the fourth quarter was reduced by  75.000.

The net result of that is that Stichting NLnet Labs received a total of  345.000 from Stichting NLnet during 2006.

The consultancy contract with ICANN from April 2005 was continued, in addition to that contract NLnet Labs provided advisories to SIDN the Dutch top-level Domain registries. In addition NLnet Labs started offering support contracts for NSD. These developments caused more income than expected from the budget. The total income from consultancy and NSD support in 2006 came to  59.492

The only other significant source of income during 2006 was interest derived from a savings account used to deposit funds temporarily. This amounted to  3.538.



Donations general


Consultancy income

52.200 46.500

NSD Support


Interest income

3.538 3.151



total income


4.4 Expenditure in 2006

The major expenditure categories of NLnet Labs in 2006 are summarized below:






25.582 23.908


45.017 26.147


4.371 4.113

Other costs

17.464 14.933

Correction VAT


Total expenditure


Over 2006 NLnet Labs had a negative result of  6.752

As a result, the financial reserve at the start of 2007 is  64.614.

4.5 Budget for 2007

The provisional budget for 2007 is as follows:






40.698 25.582


48.000 45.017


7.200 4.371

Other costs

36.450 17.464


The 2007 budget is significantly larger than the realisation for 2006, in particular because NLnet Labs will be fully staffed in the cause of 2007 and since it rents more space for slightly higher unit prices.

Since, in addition to interest, NLnet Labs expects to receive about EUR 40.000 from consulting activities, and  52.500 from NSD support contracts, the projected deficit for 2007 comes down to EUR 441.248. A request for four quarterly grants of  110.250, thus for a total of  441.000 in 2007, has been submitted to Stichting NLnet. Stichting NLnet has approved these grants on January 30, 2007.


[1]    DNSSEC Deployment Initiative. DNSSEC Deployment web pages.

[2]    M. Bagnulo E. Nordmark. Level 3 multihoming shim protocol, Novembery 2006., (Internet Drafts are subject to change and have a limited lifetime; this draft has expired).

[3]    European Network and Information Security Agency. Enisa web pages.

[4]    O. Kolkman and R. Gieben. DNSSEC Operational Practices. RFC 4641 (Proposed Standard), September 2006.

[5]    Olaf Kolkman. DNSSEC HOWTO, April 2005.

[6]    Net::DNS and Net::DNS::SEC web page.

[7]    ICANN’s Security and Stability Advisory Committee (SSAC). SSAC Web Pages.

[8]    Uppaal website.

[9]    Wireshark: The World’s Most Popular Network Protocol Analyzer. Wireshark Web Pages.

Thu June 12 2006 © NLnet Labs
Kruislaan 419, 1098 VA Amsterdam, The Netherlands