Every time you load a website, send an email, or update an app, you're quietly relying on a handful of unglamorous services that route your packets to the right place: DNS to translate names into addresses, and BGP to figure out how to actually get there. When these systems break, or get attacked, the Internet doesn't just slow down but stops working.

For more than 25 years, NLnet Labs has been one of the small, non-profit teams keeping that core infrastructure running. Their software, including the DNS servers NSD and Unbound, the RPKI tools Krill and Routinator, and the new DNSSEC signer Cascade, is deployed everywhere from hobbyist Pi-Hole setups to Let's Encrypt and major Internet operators. And increasingly, it's written in Rust!

In this episode, I talk to Arya Khanna and Martin Hoffmann from NLnet Labs about what it takes to maintain critical Internet infrastructure as a small team, why they bet on Rust for new projects like the domain crate and Cascade and what the rest of us can learn from a codebase whose users include the people who keep your routes flowing.
About NLnet Labs
NLnet Labs is a non-profit foundation based in Amsterdam that develops open source software and open standards for the core infrastructure of the Internet. Since 1999, the small but dedicated team has built some of the most widely deployed building blocks of the modern web, including the authoritative DNS nameserver NSD, the recursive DNS resolver Unbound, and the RPKI tools Krill and Routinator, which secure global Internet routing. Their work is trusted by operators ranging from hobbyist Pi-Hole users to Let's Encrypt and major Internet service providers. In recent years, NLnet Labs has been steadily moving its new development to Rust, with projects like the domain crate and the Cascade DNSSEC signer leading the way.
Links From The Episode

• NSD - NLNet Labs' first project
• lychee - A link-checker that receives funding from NLNet (not NLNet labs!)
• unbound - A DNS server like BIND, but only for recursive queries
• Cascade - The new DNSSEC signing solution from NLNet Labs
• Pi-Hole - A small usecase for unbound
• Let's Encrypt - A big user of unbound with scale and security requirements
• Asahi Linux - Linux on Apple Silicon, mostly with Rust
• Binder CVE - A CVE in Rust
• LDNS - A collection of DNS functions, written in C, now in maintenance mode
• domain - The new collection of DNS functions, written in Rust
• tokio - The biggest shared dependency across the Rust ecosystem, first announced in 2017
• Rust in Production: Helsing with Jon Gjengset - You can take generics too far
• bytes - Tokio's Arc of bytes
• Arc Welding - The other type of "fixing"
• Alejandra González' crate dependency analysis - 46% of published crates depend directly on tokio
• RPKI - Signing and validating IPs and routing information
• Routinator - A RPKI validator, one of the first Rust applications in production
• hyper - The ubiquitous HTTP crate
• Krill - The RPKI Certificate Authority tool with "fun" shutdown code
• Roto - Tert's scripting language, used by another NLNet Labs project, Rotonda

Official Links

• NLnet Labs Website
• Arya Khanna's Website
• Arya Khanna on GitHub
• Arya Khanna on Mastodon
• Martin Hoffmann on GitHub
• Martin Hoffmann on Mastodon