News

Dutch Ministry of Economic Affairs donates 0.5 million to "Internet Hardening Fund" 2016/12/16

Vietsch Foundation and NLnet cooperate in internet R&D for research and education 2016/09/28

Third edition of 'Holland Strikes Back' 2016/09/01

RPKI-RTRlib contributes to secure interdomain routing 2016/02/15

 

getdns

[getdns - A reliable DNSSEC providing stub resolver -- till 2018/09/01]

Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027).

Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. DANE (DNS-Based Authentication of Named Entities) is a method of bootstrapping encrypted TLS channels without third parties (i.e. Certificate Authorities) having to vouch for a name. It provides the owner of the name the means to authenticate the keys used for their TLS enabled services themselves, by putting the key material (or a reference for it) in the DNSSEC signed zone for the name.

DNSSEC validation is an absolute requirement to verify DANE enabled TLS sessions. DANE was recently added as a mandatory standard of the Dutch government by Forum Standaardisatie together with startTLS. Applications that employ DANE to setup TLS connections need to be able to retrieve and verify DNSSEC records reliably. New work in TLS, embedding DANE in an extension, needs to be able to validate DNSSEC to authenticate a TLS session (see: https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension-01).

Because of the technical complexity of DNSSEC, DANE support has so far been quite complex for developers to work with. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027). One of the key features of getdns is the ability to deliver DNSSEC as a building block in harsh environments. In the project we implement a number of essential components to this library, and work on mechanisms to make it easy to integrate the library also at a system level.

The project is run by NLnet Labs, NL

This project is supported by NLnet and the Internet Hardening Fund.

Calls

Send in your ideas.
Deadline June 1st, 2017.