NLnet Labs participates in various research projects which revolve around core Internet infrastructure. Here you can find an overview of the current projects we are participating in.

Route Origin Validation measurements


The Border Gateway Protocol (BGP) is responsible for routing on the Internet. BGP has no built-in security measures, making it vulnerable to IP prefix hijacking and route leaks. To defend against these threats, the Resource Public Key Infrastructure (RPKI) has been developed by the IETF. RPKI secures the Internet’s routing infrastructure by signing and validating prefix origin data.

There are, however, still situations that one may indirectly fall victim to prefix hijacks even if one's own AS is RPKI protected. A good example of this is the Amazon Route 53 BGP hijack. In this example, the prefixes of the Amazon authoritative DNS servers were hijacked. Any AS with a DNS resolver not protected by RPKI would receive a valid but malicious response from the hijacked authoritative DNS server, even if the AS where the query originated from was RPKI protected. For end-users to be fully protected, in addition to the network in which they reside, they also need their DNS resolvers to be in RPKI protected networks.

In this research we will:
  1. Measure the uptake of Route Origin Validation of DNS resolvers by scheduling long running measurements targeting authoritative nameservers hosted on an RPKI beacon.
  2. Measure the uptake of Route Origin Validation of authoritative nameservers by sending queries to the authoritative nameserver operators (inventorized from OpenINTEL data) originating from an RPKI beacon.

We have started measuring the uptake of Route Origin Validation of DNS resolvers in January 2020 with a research project executed by Marius Bouwer and Erik Dekker (see the report). Up to date results of the Route Origin Validation of DNS resolvers measurements can also be found on the DNSThought website (here for IPv4 and here for IPv6). For these measurements we have used an RPKI beacon kindly provided by Job Snijders.

It is our intention to have continuing measurements in order to keep tracking the state of RPKI protection of DNS resources in the long term. For that we are currently in the process of setting up an RPKI beacon under our own control to perpetuate this research.

NGI0 PET - DNSSEC Key Signing Suite

The DNSSEC protocol brings trust to the Domain Name System by guaranteeing the authenticity and integrity of data stored in the DNS. DNSSEC is increasingly used as a root of trust for Internet protocols. For example, leveraging the DNS-based Authentication of Named Entitities (DANE) protocol, servers used for the handling of e-mail can now securely communicate which public keys are trusted when establishing a TLS connection with these servers. This makes it of paramount importance that key material used for DNSSEC is well protected, especially higher up in the DNS hierarchy at top-level domains. Ideally, in such environments, it is desirable to store sensitive key material (such as the so-called Key Signing Key) offline, and to only use it when required. While some TLD operators already follow this practice, it is far from common, due to a lack of standardised tools and procedures. In this NGI0 PET project, funded by the European Commission, NLnet Labs will develop such standardised tools and procedures in collaboration with stakeholders in the industry.
Learn more about NGI0 PET on the NLnet Foundation website.

Root Canary


The Root Canary project is a joint project of seven partners: SURFnet, the University of Twente, Northeastern University, NLnet Labs, SIDN Labs, the RIPE NCC and ICANN. The goal of this project is to monitor and measure the rollover of the DNSSEC root Key Signing Key (KSK), that is due to take place in 2018-2019.

This project has two main goals:

  1. Serve as a virtual canary in the coalmine, that signals problems DNSSEC-validating DNS resolvers may have during the Root KSK rollover process.
  2. Perform comprehensive measurements of the global DNS resolver population during the entire Root KSK rollover process, from the introduction of the new key until the removal of the old key. The results of these measurements can then be analysed after the process completes to draw lessons for future Root KSK rollover events.

While the actual project itself has now ended, the measurements that were part of the project have become part of NLnet Labs' DNSthough platform.

This project is maintained on



The aim of the LIGHTest research project has been to create a global cross-domain trust infrastructure that renders it transparent and easy for verifiers to evaluate electronic transactions. By querying different trust authorities world-wide and combining trust aspects related to identity, business, reputation etc. it will become possible to conduct domain-specific trust decisions.

Funded under the EU’s Horizon 2020 programme, the project had fourteen partners from nine countries with a diverse background. NLnet Labs contributed its knowledge and experience of the DNS to the project.

You can find more information on the LIGHTest Community Site.



The goal of the OpenINTEL project is to build reliable long-term datasets of the Domain Name System (DNS). Currently, OpenINTEL sends daily queries for a fixed set of common DNS record types for around 65% of the global namespace. Started in 2015 as a collaboration between SURFnet, SIDN and the University of Twente, OpenINTEL has already collected closed to 3 trillion DNS records that can be used to study the constantly evolving Internet.

OpenINTEL uses tools developed by NLnet Labs to power its measurement infrastructure, with LDNS serving as the Swiss army knife to send the billions of DNS queries and parse the result, and Unbound to perform the important task of resolving these queries. NLnet Labs also contributes DNS expertise and custom development for the measurement code of OpenINTEL.

You can find more information on OpenINTEL on the project webpage



The Self-Managing Anycast Networks for DNS (SAND) project is a collaboration between the University of Twente, SIDN and NLnet Labs. The goal of this project is to create resilient anycast DNS networks that can withstand global outages and large-scale DDoS attacks.

NLnet Labs contributes to SAND with its in-depth knowledge of BGP routing and DNS. In addition to this, NLnet Labs strives to adopt the open source tools developed as part of the SAND project.

You can find more information on the SAND project webpage at



Outsourcing to the cloud is mainstream business practice. Oft-quoted security benefits of the cloud are availability of skilled staff, bandwidth and compute power to head off attacks. Yet recent outages call these benefits into question. MASCOT will rigorously study cloud resilience and use the outcome to support security-conscious cloud strategies.

The project consortium is led by the University of Twente, and includes SURF, Logius, KPN and NLnet Labs as partners. The project will run for four years from 2020 - 2023.

The MASCOT project does not have its own webpage yet.