ISRG Launches Prossimo Project for DNS Tool Development
/ 4 min read
Quick take - The Internet Security Research Group (ISRG) has launched the Prossimo project in collaboration with Ferrous Systems to develop a memory safety initiative for DNS tools, aiming to enhance the security of internet infrastructure through the Hickory project, which focuses on DNSSEC validation and feature parity with existing DNS libraries.
Fast Facts
- The Internet Security Research Group (ISRG) has launched the Prossimo project in collaboration with Ferrous Systems, focusing on memory safety for DNS tools.
- The Hickory project, a key component of this initiative, aims to achieve feature parity with existing DNS libraries used by Let’s Encrypt and enhance DNSSEC validation.
- Funded by the Sovereign Tech Fund, the project began planning in Fall 2023, with active development starting in January 2024 and an expected completion date of December 2024.
- A dedicated team at Ferrous Systems is utilizing open-source development practices, including GitHub for issue tracking and monthly progress reports for stakeholders.
- Future work includes implementing RFC 8914 for Extended DNS Errors to improve diagnostics in DNSSEC validation, with a focus on effective communication and collaboration among team members.
ISRG Launches Prossimo Project in Collaboration with Ferrous Systems
The Internet Security Research Group (ISRG), recognized for its Let’s Encrypt service, has announced a new initiative called the Prossimo project. This project is in collaboration with Ferrous Systems and aims to develop a memory safety initiative focused on DNS tools for authoritative name servers and recursive resolvers.
Importance of Secure Internet Infrastructure
Let’s Encrypt is a free and automated certificate authority that serves nearly half a billion websites and applications, underscoring the importance of secure internet infrastructure. Previously, Ferrous Systems and Prossimo worked together on memory-safe implementations of critical software, including Sudo/su and a TLS library as an alternative to OpenSSL.
The Hickory project is a key component of this collaboration, initiated by Benjamin Fry in 2015. Since then, it has matured into a comprehensive suite of DNS tools that users can deploy for their own DNS services. A primary goal of the Hickory project is to achieve feature parity with the existing DNS library used in the Let’s Encrypt infrastructure.
Funding and Development Timeline
The development of the Hickory project is funded by the Sovereign Tech Fund (STF), established by the German Federal Ministry for Economic Affairs and Climate Action to enhance open digital infrastructure. This initiative marks the third STF-funded collaboration at Ferrous Systems, following prior projects with Prossimo and Stackable. Planning for the Hickory project began in Fall 2023, with active development starting in January 2024 and an expected completion date set for December 2024.
A dedicated team of four at Ferrous Systems is managing the project, employing a lean process typical of open-source development. This includes utilizing GitHub for issue tracking, conducting code reviews, and facilitating communication through Discord. Monthly reports are generated to monitor progress and budget management for stakeholders involved with Prossimo.
Key Objectives and Future Work
Key objectives of the Hickory project include expanding existing DNSSEC validation and adding NSEC3 support, which addresses domain name enumeration issues within DNSSEC. The Domain Name System (DNS) is critical for translating domain names into corresponding IP addresses, and implementing DNSSEC enhances the security of DNS servers by providing data authentication and integrity.
The initial phase of the Hickory project involved a thorough review of relevant RFCs to assess existing DNSSEC and NSEC3 support. A conformance test suite was developed to facilitate testing, ensuring compliance with these standards and allowing for isolated testing of DNS setups without interacting with public DNS servers to avoid potential rate limitations. The test suite also enables functionality comparisons against reference implementations to help evaluate feature parity.
Future work for the Hickory project includes implementing RFC 8914 for Extended DNS Errors (EDE) to enhance diagnostics in DNSSEC validation. The conformance test suite has proven beneficial in identifying DNSSEC and NSEC3-related bugs, as well as broader issues that enhance the overall project quality.
Throughout this collaborative effort, effective communication has been key, with valuable feedback between team members from Ferrous Systems and ISRG being instrumental in progressing the project. Acknowledgments were made to individuals involved for their contributions and support, highlighting the collaborative spirit essential for the success of the initiative.
Original Source: Read the Full Article Here
