Domain

Expanding a comprehensive, memory-safe library for building privacy and security-conscious DNS applications

Key facts

Status:
Current
Investment Amount
€993,600.00
Investment Year(s)
2023, 2024

Every interaction on the internet starts with establishing a connection using a domain name, like the web address you enter in your web browser, the email address you click on from your phone, or the unseen name used to play your favorite show on a streaming service.

Domain is a memory-safe library designed to facilitate developers' interactions with the Domain Name System (DNS) through a standardized Application Programming Interface (API). By offering secure and reliable methods built upon tested code and modern standards, the library simplifies the complexities associated with interacting with DNS, promoting secure connections across applications. Domain prioritizes open standards and memory-safe programming practices to ensure robustness and privacy by default, contributing to a more resilient internet ecosystem.

As NLnet Labs explains in their blog post The Next Five Years of DNS at NLnet Labs, this will make it possible for developers to incorporate DNS functionality more securely in many types of applications, from applications on small embedded devices to large-scale server farms.

Through their use of our domain library, we will spur the adoption of secure and private defaults that are often not or suboptimally deployed because they are too hard to do well.

These building blocks alleviate the operational burden on developers while making a critical part of the internet's foundational infrastructure more secure. The domain project represents a significant step towards enhancing the reliability and security of internet communication, laying the groundwork for future innovations in DNS solutions.

For 25 years, NLnet Labs has been working on the domain name system as a pillar of the internet for the public benefit. With a focus on long-term sustainability and collaboration, they are driving progress in internet infrastructure development, fostering a safer and more accessible digital landscape for users worldwide. DNS is a critical cornerstone of the internet’s security, and it’s important that all types of interactions with DNS are safe.

Why is this important?

The domain project and the overarching emphasis on DNS security are crucial components in strengthening the internet's infrastructure and ensuring the integrity of digital communication. DNS serves as the backbone of the internet, facilitating the translation of human-readable domain names into numerical IP addresses. DNS standards and operations have evolved significantly since the protocol was established in the 1980s, as technology advances and increasingly sophisticated threats arise. This changing landscape has created greater complexity and challenges for developers and operators.

This is why it is important to give software developers the means to build secure, customized DNS solutions easily. Rather than go through the separate steps of establishing a safe, encrypted and authenticated connection between a user and a content provider, the domain project lays the foundation for solutions that provide developers with high-level functionality to establish communications with the highest possible security and privacy guarantees. Since DNS queries are very critical and often involve sensitive information such as website visits and communication endpoints, ensuring they remain confidential and unaltered is paramount.

Secure DNS protocols, such as DNSSEC (DNS Security Extensions) and encrypted DNS transports, provide mechanisms for authenticating DNS data and encrypting communication channels, mitigating the risk of eavesdropping, tampering, and unauthorized access. By enabling better DNS security through tools like those offered by domain, developers can create applications that mitigate the risks associated with the DNS system and foster a safer online environment for individuals and organizations alike.

What are we funding?

The domain project simplifies and secures interactions with DNS through a memory-safe library. By providing developers with a standardized API, the project streamlines DNS integration, promotes secure connections, and enhances the resilience of internet infrastructure. Key milestones include implementing DNSSEC validation, introducing response caching, and developing tools for secure DNS query management.

  • Client capabilities: Build all the core components for performing client-side domain name resolution. This will result in a basic stub resolver, which converts name resolution requests from applications into DNS request messages. In the following phases this core functionality will be expanded to include DNSSEC validation and response caching.
    • Implement a basic stub resolver for DNS queries over standard and encrypted transports.
    • Introduce DNSSEC validation to enhance the security and authenticity of DNS responses.
    • Introduce response caching for improved performance and reduced latency.
  • Server Capabilities: Build all the components required for a DNS server. This includes primary and secondary nameservers, as well as the server-side of proxies and recursors.
    • Develop capabilities for parsing DNS zones and answering queries for DNS server functionality.
    • Introduce zone transfers to facilitate efficient updates and synchronization of DNS zone data.
    • Implement key management and DNSSEC signing for enhanced security and integrity of DNS zones.
  • Proxy Capabilities: Implement features that enable scaling, security, and privacy capabilities by allowing selective DNS request routing and implementing a simple DNS proxy, and help standardize a very common use case for DNS
    • Implement DNS request routing to enable selective routing and filtering of DNS queries.
    • Develop a simple sample DNS proxy
  • Tooling and Ergonomics
    • Build a modern alternative to the dig DNS query tool to facilitate debugging and validation.
    • Reimplement essential ldns utilities for managing DNS zone files and configurations.

More technologies

All technologies