SIDN Labs’ key results in 2025

DNS insight: .nl can be signed using 2 quantum-safe algorithms

Experts: Caspar, Elmer and Ralph

By means of extensive testing, we demonstrated that the cryptographic algorithms Falcon-512 and Mayo-2 are suitable for the DNSSEC-signing of .nl and other DNS zones that contain millions of domain names. Both algorithms are based on ‘post-quantum cryptography’ (PQC), i.e. cryptography strong enough to stand up to the powerful quantum computers of the future. PQC algorithms are fundamentally different from the algorithms currently used for DNSSEC, such as RSA and ECDSA. Our investigation was prompted by a desire to understand the operational implications of using PQC algorithms for .nl and other top-level domains. Falcon was selected because it’s being made a NIST standard, and MAYO because we believe it’s very promising for DNSSEC. The project was part of our collaboration with SURF and the University of Twente in the field of PQC for DNSSEC.

DNS innovation: system for recommending DNS anycast locations

Experts: Thijs and Thymen

In partnership with our DNS team, we developed Autocast, a data-driven, automated tool that recommends anycast locations (e.g. Amsterdam, New York or Frankfurt) with the aim of minimising .nl’s response times globally. Our DNS team currently selects locations largely using manual methods, which require multiple testing and refinement iterations. With the number of possible anycast locations going up all the time, that manual approach is increasingly labour-intensive and the potential for suboptimal name server distributions is growing. The novel feature of our method is that it relies exclusively on IP unicast measurements. By performing a battery of such measurements, we can establish the median resolver response time for a given combination of anycast locations to within a millisecond, without having to make any BGP announcements. SIDN’s DNS team will roll out Autocast to the production environment next year, and start using it to optimise .nl’s DNS anycast locations.

DNS insight: the challenges of monitoring the root server system (and other DNS infra)

Experts: Moritz and Marco

We investigated the challenges facing operators and researchers who want to monitor the DNS root, top-level domains and other highly distributed DNS infrastructures from outside, to see whether they are performing as expected. Such challenges include selecting ‘vantage points’ for monitoring and clearly defining the performance indicators to be monitored. The challenges had previously been identified by our RSSAC047 study for Verisign and ISC: a project aimed at evaluating the DNS root monitoring system, which we carried out in partnership with NLnet Labs. A top-notch monitoring system is vital for the availability of critical DNS infrastructure, because DNS operators often replicate their name servers and distribute them all around the world. For example, we do that ourselves for .nl, using an ‘anycasted’ DNS infrastructure (in combination with Autocast, as of next year).

DNS insight: factors that influence non-renewal of domain names

Experts: Thymen and Thijs

Working with SIDN’s data team and 12 other CENTR-affiliated registries, we developed a tool that provides information about the non-renewal of domain names. Together, the project partners defined 15 non-renewal indicators and applied the same statistical algorithms to a wider combination of data sources than previously used, including registration data, DNS data, billing data and data on website content types. That enabled us to cross-compare the non-renewal indicators from 6 of the 12 ccTLDs, with each of the ccTLDs involved applying the tool only to their own data. The initial results confirm our supposition that domain names for which we get a lot of DNS traffic are more likely to be renewed: renewal was about 15 per cent more likely with the most frequently queried names. The insights provided by the project will enable SIDN and other registries to estimate future income streams more accurately, and to improve the work done in tandem with registrars to encourage renewal, such as co-funded .nl marketing campaigns. We’re planning to share further details in a blog early next year.

DNS standardisation: first version of the RESTful Provisioning Protocol

Experts: Maarten and Marco

Within the IETF, we teamed up with DENIC (.de) and other registries to develop an initial version of the architecture and requirements for the RESTful Provisioning Protocol (RPP). RPP is being developed as a protocol for domain name registration APIs that are more suitable for cloud technology-based systems (on-premises, private or public cloud) than APIs based on the Extensible Provisioning Protocol (EPP). Earlier in 2025, the IETF set up a formal RPP working group in response to lobbying by SIDN and others. SIDN Labs team member Marco chairs the working group, while Maarten is involved as one of the technical architects. The group has already made good progress, and development of the protocol is going to plan.

DNS standardisation: digital ‘For sale’ signs in the DNS

Expert: Marco

Also through the IETF, we developed ‘ForSale’: a straightforward, low-threshold mechanism that allows a registrant to advertise via the DNS that their domain name is for sale – whether it’s a .nl or uses another extension. We enabled ForSale for .nl on a pilot basis, and participating registrars have already added ForSale labels to the DNS records of more than 250,000 .nl domain names. We hope that ForSale will help to make the domain name market more transparent and accessible, so that domain names can be traded more quickly and effectively. We expect to have the draft protocol finished early in 2026.

BGP insight: maturity of BGPsec implementations is low

Experts: Lisa, Moritz and Ralph

We demonstrated that, at the moment, there is no software router that offers good BGPsec support. Defined in 2017, BGPsec is a BGP extension that allows routers to cryptographically sign and validate BGP paths. The absence of support means BGPsec is not yet sufficiently mature for production use. Nevertheless, used in combination with technologies such as RPKI and ASPA, the extension has the potential to reinforce routing security in the future. Our research was done using a small-scale testbed, in which we experimented with 5 BGPsec implementations (QuaggaSRx, ExaBGP-SRx, GoBGP-SRx, FRR and BIRD). Before BGPsec can be deployed, considerable improvements will be needed – to BGPsec signature validation, for example. It addition, operators’ concerns about the computational power required by BGPsec will need to be addressed. The patches we developed for our evaluation and the deployment software we used in our testbed are available from our GitHub repository.

BGP innovation: automated evaluation of routing security

Experts: Lisa and Moritz

We developed and evaluated a prototype system for measuring an internet network’s implementation of MANRS+. MANRS+ is a suite of measures designed to protect against route hijacks and other common routing hazards. Examples of MANRS+ measures include filtering bogus routing announcements and securing BGP sessions. MANRS+ is an extension to MANRS, which is supported by more than 1,200 networks worldwide. SIDN has been affiliated to MANRS since 2018, because we believe that a secure routing system is vital both to the .nl ecosystem and to the internet as a whole. Other Dutch MANRS affiliates are KPN, VodafoneZiggo, TransIP, BIT and SURF. Our research was done using a testbed connected to our lab network. The findings were used to support recommendations to the organisation behind MANRS+ regarding the possible creation of a ‘MANRS+ auditor’. Our prototype is publicly available via our GitHub.

NTP insight: considerable variation in ‘BigTime’ characteristics

Experts: Giovane and Marco

We compared the properties of the Network Time Protocol (NTP) services of 7 ‘BigTime’ providers, including Apple, Microsoft, Ubuntu and Google. Our measurements revealed considerable differences. For example, of the 7, only Ubuntu and Cloudflare support Network Time Security (NTS). We also discovered that Microsoft uses a single time source for 50 per cent of the devices using its service, while Apple’s and Ubuntu’s time services don’t support RPKI. We believe it’s important to have information of this kind, because BigTime services have barely been studied, even though billions of devices around the world rely on them. Another finding was that at least 4 billion devices with Apple and Windows operating systems depend on outdated and insecure NTP software. As a result, an attacker could put clocks backwards or forwards by years, with enormous security implications. Both our studies were carried out with the help of students from Delft University of Technology. They resulted in tech reports on the BigTime providers and the NTP software.

NTP innovation: extending our anycast testbed for the NTS Pool

Experts: Marco and Giovane

We extended our anycast testbed so that it could be used as the basis for an initial version of the NTS Pool. The pool is a collection of non-commercial time servers that offer time services based on the Network Time Security (NTS) protocol. The intention is to make it easy for devices and services to select and use an NTS server from the pool. One possible extension is the addition of Chrony as an NTP server with NTS patches. The NTS Pool is inspired by the NTP Pool, the biggest time service on the internet, which has been operating for decades, but relies on the insecure Network Time Protocol (NTP). We work closely with Trifecta Tech, the organisation behind the development of the RUST NTS software, now working on a protocol within the IETF. The project is co-funded through the ICANN Grant Program.

Tooling innovation: our research infrastructure at Nikhef

Experts: Ralph, Maarten, Thijs, Johan, Richard and Dennis

We have redesigned our research infrastructure and rebuilt it using new hardware at the Nikhef data centre. The changes were made because our existing infrastructure uses outdated hardware (servers from 2017 to 2020) and software (e.g. Hadoop, rather than modern data technologies such as Trino and S3). We also wanted to isolate our infrastructure from the SIDN network more completely, and to obtain our own real-time flow of BGP traffic by realising direct connections to international internet exchanges such as AMS-IX and NLix. Our requirements differ from those that apply to SIDN’s production systems, including the .nl domain registration system. For example, our research infrastructure doesn’t need to have the availability of the production systems, but does need to handle much more data.

We have rolled out the base layer of the infrastructure on the new hardware – including a Kubernetes and Proxmox cluster, S3 compliant storage, Apache Spark and Jupyter Notebooks – on the new hardware. We have also worked with SIDN’s security team to ensure that the infrastructure is covered by the organisation-wide security monitoring and that its use conforms to ISO27001. The operation will be completed early next year, when we migrate our applications and data.

Workshop with the Dutch technical community

Experts: Ralph, Lisa and Cristian

We organised a workshop with 15 experts from the Dutch internet community to get feedback on the quality, relevance and direction of SIDN Labs’ research, and ideas on how we can further enhance our work. We believe that it’s important to remain in tune with the community, because, as the registry for .nl, SIDN has a public role. For many years, we have relied mainly on international validation based on, for example, the academic publishing process and the number of externally funded research projects undertaken.

Overall, the experts gave our work a mark of more than 8 out of 10. Amongst the strengths they highlighted were the excellent quality of the research, the frequent publications, the logical choice of research themes (DNS, BGP, NTP) and the exemplary nature of our testbed approach. Improvements that were suggested included refining our technical vision for the internet and defining our target audiences more precisely (e.g. policymakers and politicians, as well as the technical community). We will take up the experts’ feedback and report the results at a follow-up workshop in 2026.

New internet talent

Experts: Elmer (Internship Coordinator)

Br providing internships and by other means, in 2025 we once again helped the next generation of engineers and researchers to develop into new internet talent. We promote talent development not only for the benefit of .nl and SIDN, but also so that the Netherlands remains a leading centre for knowledge regarding the working, innovation and standardisation of the internet. In this field, we collaborate closely with universities such as Radboud University, the University of Twente and Delft University of Technology (TU Delft).

This year, 3 master’s students were part of our team. They investigated how resolvers behave if they temporarily have to deal with both PQC algorithms and classical algorithms, what’s needed to make the RPKI quantum-safe (second place in the KHMW Responsible Internet Thesis Awards!) and how we can use representation learning to detect malicious .nl registrations here at SIDN. We also commissioned a group of 5 bachelor’s students at TU Delft to develop NTPinfo: a site where internet users can evaluate the properties of NTP servers, such as their accuracy, time source and geolocation. In addition, we supervised 4 PhD students who were preparing articles for academic journals, on subjects such as ‘noise’ in BGP data, the adoption of DDoS scrubbers on the internet and extensions to BGPsec.

Finally, we partnered with Young ECP, NL IGF, RIPE NCC and the University of Twente to host a workshop called How the Internet Really Works. At the workshop, 25 students and young professionals with policy development and technical backgrounds were able to build bridges between their disciplines by discussing topics such as internet fragmentation and centralisation. The technical students were from the Advanced Networking master’s course, which we put on for the eighth time this year, with the help of colleagues at the University of Twente.

Academic publications

Experts: Giovane, Ralph, Moritz and Cristian

We believe that collaborating with academia is important for the joint development of (radical) new ideas, for obtaining independent feedback on our work, and so that academics can benefit from our data and insight into the problems that arise in practice.

This year, we published 8 academic papers, many written in partnership with university colleagues. We also published an article and a blogpost about the 5 models that we use at SIDN Labs for collaboration with universities: internships, data sharing, informal collaboration, secondments and externally funded research projects. In the article, we considered the pros and cons of each model and illustrated how each has yielded results that benefit not only .nl and SIDN, but also our partners and the wider internet community. The purpose of the publication was to promote collaboration between smaller tech organisations such as SIDN, and universities.

Our plans for 2026

In the coming year, we’ll complete our analysis of the impact of PQC algorithms on DNSSEC. We also plan to produce an advisory report for SIDN’s DNS team and other operators regarding the suitability of at least 4 PQC algorithms, based on the work we’ve done this year on DNSSEC signing and work we’ll be doing in 2026 to investigate the impact of PQC algorithms on DNSSEC validation. That latter study will utilise real-world anonymised DNS traffic in a continuation of our collaboration with SURF and the University of Twente.

Within the IETF, we’ll continue developing RPP, for example by contributing to new internet drafts and the development of an RPP prototype. That work is expected to conclude with a formal IETF protocol, probably in 2027, which could enter production use some time after late 2027. At the IETF, we work closely with the other RPP working group members, such as DENIC (the .de registry) and Internet Stiftelsen (.se).

We’ll use measured data to investigate the potential impact of BGP hijacks on the .nl name servers. We’ll also produce an inventory of resolvers in networks that are vulnerable to the potential hijacking of our prefixes, and we’ll suggest network configuration improvements that could mitigate the impact. We intend to develop tools that SIDN’s DNS team and their counterparts elsewhere can use in the event of a BGP hijack to quickly measure its impact on resolvers and end users, and to accelerate the ‘postmortem’ analysis of BGP hijacks. Both our own measurement tools (e.g. Autocast and ENTRADA) and public data sources (e.g. Route Collectors) will be used.

Also on the agenda for 2026 is further extension of our anycast testbed for a large-scale pilot with the NTS Pool. Over a period of 6 months, we’ll use internet measurements to evaluate the Pool’s performance. The results will enable us to advise future NTS Pool operators about the mechanisms for ‘anycasting’ the service and providing accurate time data. In that context, we’ll look to generate findings that are useful for policymakers concerned with the resilience of the Netherlands’ communication infrastructure, including the government and the Cyber Security Council. The software we develop will be made open source. In that field, we’ll be working closely with Trifecta Tech and ICANN.

In partnership with NLnet, CWI, SURF and others, we’ll start a pilot network for the Netherlands based on SCION, an alternative internet architecture for applications with high security requirements. That will include multistakeholder ownership and governance of SCION-NL, the SCION network domain that we set up for the purpose. This is a good time for such research, because SCION appears to be gaining significant traction with actors such as Odido, Varity, CWI and NLix. We’ll therefore be resuming our SCION work, after previously becoming the Netherlands’ first SCIONlab affiliate in 2019 and realising a direct connection in 2020. We additionally plan to define the role that SIDN could potentially play in this field, e.g. in SCION’s DNS-like naming system, or as the Certificate Authority for SCION-NL.

Finally, we intend to make our data sources more suitable for AI technologies, such as Graph Neural Networks and Transformers, so that we are able to obtain even more insights for .nl, the internet and SIDN itself. That will involve developing generic automated methods for describing data that we use a lot in an AI-compatible way. We’ll evaluate the performance of the methods using prototypes, such as .nl website page type classification and improved understanding of non-renewal indicators. We’re looking to collaborate with universities interested in teaming up with us and using their AI expertise to improve internet security.

Thanks for 2025, and happy Christmas!

We’d like to thank all our colleagues at SIDN and all our research partners for working with us in 2025 to make a vital contribution to the openness, security and resilience of .nl and the wider internet. In 2026, we’ll continue publishing research updates on this site. You’re warmly invited to give us your feedback and ideas, or to suggest project collaborations. In the meantime, happy Christmas!