Send in your ideas. Deadline February 1, 2025

DNS Security Fund

This fund is retired, but not because this topic is no longer important. Help reboot it and donate

DNSSEC is one of the key technologies for a safer internet - i quite literally actually, because it unlocks a mechanism for the internet user to (automatically) certify that he or she is being sent to the right computer or service on the internet. In addition, through technologies like DANE new security mechanisms can be bootstrapped effortlessly.

The DNSSEC fund supported projects that helped explore the possibilities of DNSSEC by building real world solutions, and finding novel use cases for this exciting technology.

For more information about donating to the DNSSEC Fund, or to NLnet in general, please email dnssec@nlnet.nl or contact us in any other way that works for you.

This fund is retired, but do have a look at our current theme funds and open calls.

Background information

Domain names are vital to the way we use the internet, as businesses, public institutions and private individuals. While the original system of resolving domain names was very robust and has made tremendous innovation possible, it was also found to be open to serious abuse. DNSSEC provides a cryptographic seal of authenticity that gives real proof of the validity of the domain name you use when you visit a website, chat or send an email.

With DNSSEC you get what security specialists call a chain of trust from the root of the internet to the service you want to connect to - opening the way form many new exciting opportunities. DNSSEC is being gradually introduced worldwide, country by country.

Of course it is already a big win that the chain can henceforth be trusted up to the point where providers relay the answer to the client. But this is not good enough for perfectly normal use such as using a (potentially hostile) public wifi hotspot: for end users to fully benefit from DNSSEC in such cases, the software on the end user side should be able to validate DNSSEC signatures as well - especially on sensitive data like digital security keys and certificates. Most (but not all) applications depend on higher level services to handle DNS, which means that these service stacks need to be updated in all operating systems. Specific client software using their own built-in DNS services, like realtime communication software (e.g. SIP, XMPP), messaging servers and browsers, also will need to be adapted.

Every internet user deserves to be protected by DNSSEC in all situations, yet currently end user software is ready for DNSSEC. In order to speed up the process of introduction of DNSSEC, the Netherlands-based charity NLnet foundation announces that it will open a fund where open source projects can apply for grants to work on DNSSEC in their applications. Through a lightweight and fast procedure, projects can secure funding for reengineering software to reliably work with DNSSEC. Grants will be handed out on the basis of real-world impact, urgency and technical quality of the proposals. Proposals should adhere to the normal requirements for proposals at NLnet, and be no longer than 2 pages of text.

Some technology partially or fully funded through NLnet and the DNSSEC fund

  • OpenDKIM by The Trusted Domain Project, an open source implementation of the DKIM (Domain Keys Identified Mail) sender authentication system.
  • OpenDMARC by The Trusted Domain Project, an open source implementation of the proposed DMARC (Domain-based Message Authentication, Reporting & Conformance) framework.
  • DNSSEC for Jitsi by the University of Applied Sciences, Northwestern Switzerland
    Jitsi is a feature complete and highly secure VoIP and Instant Messaging client written in Java and supporting various protocols such as SIP and XMPP. The project will add client side DNSSEC validation and certificate checking to Jitsi, thus making automated end-to-end communication secure.
  • DNSCCM by Sinodun Internet Technologies, UK
    Implement NSCP (RFC6168), a generic DNS(SEC) name server management and control system, for BIND and NSD.
  • Project Wormhole by AG Projects, Netherlands
    A DNSSEC-aware gateway between the XMPP and SIP universes
  • DNSSEC in Lantern by Brave New Software Project, Inc.
    Integrating DNSSEC into every DNS lookup in Lantern, including all DNS lookups in the LittleProxy, Smack, and LittleShoot sub-modules.
  • NSD, an authoritative only, high performance, simple and open source name server by NLnet Labs.
  • Ldns, a library created by NLnet Labs to simplify DNS programming. It allows developers to easily create software conforming to current RFCs, and experimental software for current Internet Drafts.
  • Unbound, a validating recursive caching resolver by NLnet Labs
  • OpenDNSSEC, an open-source turn-key solution for DNSSEC by NLnet Labs. It secures zone data just before it is published in an authoritative name server.
  • Dnssec-Trigger, a tool by NLnet Labs which enables an end user machine (laptop or desktop computer) to use DNSSEC protection for the DNS traffic.
  • Net::DNS, a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script. Maintained by NLnet Labs.
  • Extended DNSSEC Validator bySNEgroup at University of Amsterdam
    A proof of concept DANE add-on for the Mozilla Firefox web browser

Cosponsored by:

Comcast