I am very pleased to announce the public introduction of getdns at The Next Web in Amsterdam (TNWEurope) April 23-24, 2014. Verisign Labs and NLNet Labs in collaboration have developed getdns, an open source implementation of the getdns-api application programming interface (api) specification.
At The Next Web, getdns is one of the challenge APIs in a 36-hour Hack Battle. Multiple teams of application coding experts are using getdns to develop innovative applications that leverage the global security infrastructure available through DNS Security Extensions (DNSSEC).
Several years of community and researcher effort have led up to this introduction. The modernized, extensible DNS API specification was developed by a volunteer team of Web applications developers – the contributors included people specializing in instant messaging programs, Web browsers, and social networking systems. Its novel goal was to offer DNS programming calls adapted to the use of application developers, allowing full access to the power of the DNS ecosystem without requiring the applications developers to be deep experts in the DNS protocol.
Paul Hoffman, an application security consultant, edited the API and Verisign Labs joined in the fun over a year ago, several months before the first publication. Once it was published, we invited NLNet Labs to join us in creating an open source implementation for widespread public distribution, getdns. Hoffman and the community then updated the specification to address discoveries we made during implementation. In February 2014, we unveiled early beta code for review and in the months since we have also released an early port of getdns to iOS, and beta versions of node.js and Python language bindings. Source repositories are publicly available on github.
At its heart, getdns makes use of the DNS protocol processing of the NLNet Labs Unbound open source – Unbound is a widely used, DNS Security Extensions (DNSSEC)-centric implementation of the DNS standards. We reflect this in the phrase “Unbound Security” in the getdns logo. The double meaning: removal of the bounds that have kept applications from easy access to a global security infrastructure in the DNS.
getdns provides easy access to the powerful evolving capabilities of DNS, including the DNSSEC and DNS-based Authentication of Named Entities (DANE). In the common DNS APIs, found on most computers, the calls were last updated in 2000 (to add IPv6 addresses). With getdns, programmers can access the modern DNS. Notably, with one function call, programs can elect to perform DNSSEC validation, while still making use of the resources of their enterprise or ISP DNS resolver. getdns offers a simple set of choices, a clean abstraction of the extensive support provided by Unbound underneath.
Due to the aging of the common APIs for DNS, the powerful, modern capabilities of the system have been underutilized. This situation has contributed to the perception by some that DNS is onerous and insufficiently speedy. Another key deliverable of getdns is default asynchronous access to DNS. In the common DNS APIs, when a query is sent to the DNS, another query will not be sent until the response for the first one has been received. The getdns implementation allows programmers to select their favorite programming library for asynchronous processing, and then to send arbitrary numbers of DNS queries while waiting for responses to arrive.
Consider what this means: before your Web browser loads a Web page for the first time, it requests the look up of typically hundreds of domain names, both for the initial page and to “pre-fetch” information that you may want soon after. Instead of doing these lookups one after another, an asynchronous API means that the queries are processed as rapidly as the domain servers can reply to them.
We are at the start of a promising new chapter in the tale of the mighty domain name ecosystem. As the getdns launch continues, I look forward to bringing you more updates, including results from the TNWEurope Hack Battle. Watch this space.