Czech Knot DNS added to .nl name servers
As well as running BIND and NSD, our infrastructure now uses a third DNS software package. We've added Knot DNS, created by the Czech registry CZ.NIC. The new set-up is described below.
DNS for .nl
Being a registry isn't only about registering domain names. We also have to ensure that registered names actually work on the internet. That means making sure that computers and mobiles can look them up using the Domain Name System (DNS). As the registry for .nl and infrastructure supplier for the new top-level domains .amsterdam, .politie and .aw (Aruba), we have an important role within the overall DNS name space. If you want to visit https://example.nl/, your browser needs to know the IP address of the webserver for that domain. Your browser gets the address from a resolver, which ultimately gets it from the name servers for example.nl. It does that by first asking the name servers for the root (the starting point of the DNS hierarchy). They refer the resolver to the .nl name servers, which refer it to the name servers for example.nl.
In other words, both the root and .nl are very important links in the chain. If the DNS didn't work properly at the .nl level – the level that we're responsible for – that could affect the availability of millions of servers and e-mail addresses.
We believe that the DNS for .nl (and the other TLDs that we're technically responsible for) must be available 100 per cent of the time. Unlike many ICT systems – even our own domain name registration system – ninety-nine-point-something percent availability simply isn't good enough. So we've taken steps to protect against all conceivable risks, including DDoS attacks, human error, system errors, insolvency, system security compromise and the failure of a particular supplier's hardware or software. The exhaustive risk assessment and the associated risk control measures (some of which are quite far-reaching) are described in our DNS Policy. The policy is formulated and maintained by our DNS Operations Team.
All the ins and outs of our DNS Policy can't be described in an article like this, but one of the things we do to protect availability is make sure we're not dependent on one kind of software. So, for a long time, we've been using open-source software from two very competent organisations. We work with ISC's BIND and an excellent locally developed product, NSD by NLnetLabs. The idea is that, if either package turns out to have a vulnerability, the availability of the .nl zone won't immediately be in jeopardy. We'll simply switch to using the other.
An addition to the family: Knot DNS
We're pleased to announce that, after extensive testing, our DNS software family has a new member: Knot DNS, developed by our colleagues at CZ.NIC. The software meets all our high technical requirements. Since early October, Knot DNS has been operational for .nl, .amsterdam, .politie and .aw. Deployment of the new software means that our DNS platform now features even more diversity and is therefore even less vulnerable to software issues.
Marc Groeneweg, Coordinator of our DNS Ops Team is pleased with the acquisition. "Knot DNS is a completely new product that's been developed from scratch," he explains. "In many ways, that's a good thing, but it also brings a risk of teething problems. Fortunately, we have excellent relations with our Czech colleagues. We put Knot DNS through its paces pretty thoroughly. A few bugs came to light early on, which our DNS specialists helped to resolve. But Knot DNS gradually became more stable and won our confidence. It's now fully embedded in our ICT management environment and has been operational since the start of the month. A significant milestone in our ongoing efforts to enhance the .nl domain."