When we launched the Nominet DNS Fund, we had one main goal: to support the people and projects quietly keeping the internet running. The first funding round confirmed just how much important work is happening largely out of sight, from maintaining core software libraries to running public interest domain name system (DNS) services.
In this blog we explore the stories behind the first five projects funded in the initial Nominet DNS Fund application window. Each project tackles a different part of the DNS and internet infrastructure, but all share the same goal – a safer, more reliable internet for everyone.
Cascade by NLnet Labs
Cascade is a new DNSSEC (DNS Security Extensions) signing solution with a strong focus on transparency and control. It’s initially designed to be used by top-level domain operators and aims to make sure that when someone types in a domain name, the system behind the scenes can be trusted to do the right thing reliably and securely. Cascade replaces older, more rigid DNSSEC tooling with a tool which is easier to operate, more flexible, and better suited to modern infrastructures and business processes.
The team at NLnet Labs believe Cascade showcases why maintenance and evolution of existing software is just as important as inventing something entirely new. The need for Cascade is clear. Funding from Nominet helps and gives the non-profit team behind it the ability to design and build Cascade for the long term.
“With Cascade, we’re building a modern tool for DNS trust and security that operators can deploy and maintain in real world environments. This work is essential for the long-term health of the internet, but it’s very hard to fund because it sits below the surface.
“The Nominet DNS Fund has been refreshingly different: the team understands the value of infrastructure and long-term maintenance, and the application process respected how we work as an open source, non-profit organisation. Their support gives us the confidence to invest in Cascade properly and deliver something the whole DNS ecosystem can benefit from.”
– Alex Band, Director of Product Development, NLnet Labs
Validns by OARC
Validns checks that the basic building blocks of the DNS are correct and trustworthy. The project gathers domain names from DNS zone files and runs a set of checks to make sure they are grammatically and syntactically correct, and that DNSSEC cryptographic signatures are valid.
If DNS data is wrong or inconsistent, people can end up at the wrong website, services can break, and security problems can be introduced. Used as an independent verification tool before the DNS data is published, Validns provides an extra safety layer, helping operators catch issues before they become incidents.
The tool is open source and community driven. It’s already been adopted by multiple registries and country code operators, and the focus now is on keeping it up to date as standards evolve. Nominet’s funding allows the maintainers to add support for new record types and cryptographic methods, fix bugs, and improve performance so the broader ecosystem can continue to rely on it.
“Validns is designed to quietly catch problems before they reach users – checking that the data behind domain names is correct, consistent and cryptographically sound. It’s the kind of invisible safety net you only notice when it isn’t there.
“Historically, finding funding for this kind of ‘plumbing’ work has been extremely difficult, even though many registries and operators rely on it. The Nominet DNS Fund has changed that dynamic for us. Not only is the funding itself valuable, but the fact that a major registry is explicitly backing this kind of infrastructure sends an important signal to the wider industry. It tells operators and policymakers that maintaining shared, open source tools is a priority, not an afterthought.”
– Phil Reginauld, President of DNS-OARC
OpenSSL Library
OpenSSL Library is one of the most widely used cryptographic libraries in the world. It underpins secure connections for countless services and applications, from websites to embedded devices. Because it’s so widely used, improving its reliability has a big impact on the entire internet.
With funding, OpenSSL Foundation will put in place tools, mechanisms and frameworks to enable improved unit testing, memory validation testing, and mocking capabilities. This will enable them to improve testing coverage, quicker. And better coverage means more bugs and potential vulnerabilities can be found and fixed earlier.
The team plans to invest in testing infrastructure and bring in dedicated engineering resources to focus on this work. They’re also exploring how to involve the wider community, for example by encouraging more contributors to work on this critical layer.
“OpenSSL Library sits under so much of the secure traffic on today’s internet that even small improvements in testing can have a big impact. Thanks to the Nominet DNS Fund, Open SSL Foundation can dedicate time, infrastructure and specialist skills to finding the tricky bugs and edge cases that only show up when you really stress a codebase.
“Just as important, the Fund’s team has been an engaged partner – the combination of financial support and genuine understanding of infrastructure is rare and hugely appreciated.”
– Matt Caswell, Executive Director, OpenSSL Foundation
Quad9
Quad9 operates a public interest DNS service that combines security, privacy and accessibility, with a strong focus on users in underserved parts of the world that havehigh exposure to online threats, but limited access to protective services. It blocks known malicious domains using threat intelligence from multiple providers, giving people a layer of protection even if they don’t have other security tools in place.
Quad9 is also committed to privacy of end users, integrity of the DNS, and creating positive change in the DNS community and technology space. It’s one of few organisations operating DNS purely in the public interest, rather than as an add‑on to a commercial product. By supporting good policy and contributing improvements to the open source stack it relies on, Quad9 aims to benefit not only its own users but the wider DNS community as well.
Running and maintaining this service is demanding. Servers, networks and software all need regular investment. Yet infrastructure projects like Quad9 are often the hardest to fund, because they are seen as ‘background utilities’. Support from the Fund will help Quad9 reduce technical debt, strengthen its systems and continue providing protection to users who need it most.
“Quad9 was created to provide a safer, privacy-respecting DNS service to people who might otherwise be left without basic protection. We operate as a public interest non-profit, which means we put users and security first, but it also means that ongoing investment in infrastructure and technical debt is a constant challenge.
“The Nominet DNS Fund has been a breath of fresh air. From the first conversation it was clear Nominet understood the realities of running critical DNS infrastructure on a non-profit basis, and they were prepared to back that work for the public good. We hope that the code and methods that this promotes will help provide more security, observability, and understanding of the DNS.”
– John Todd, General Manager, Quad9
BIND 9 by ISC
Internet Systems Consortium (ISC) develops and distributes BIND 9, one of the most widely used open source DNS systems in the world. Many operators of the root, top-level and second-level domains rely on it to make sure websites, and online services, can be reached. As internet traffic grows and hardware changes, the team behind BIND 9 needs to verify that it still runs quickly and reliably on modern servers. But ensuring that they have access to all the platforms and systems they need is expensive.
Support from the Nominet DNS Fund will pay for a new physical test lab, with powerful machines to act as DNS servers, others to generate realistic traffic, and a controller to run and measure the tests. This will help the team understand how BIND 9 behaves under real-world conditions and make clear, targeted improvements so it can continue to support the DNS in the future.
“BIND 9 has been part of the internet’s fabric for decades, and expectations on it keep rising as traffic grows and hardware changes. Support from the Nominet DNS Fund makes it possible to build a dedicated performance lab so we can deliver improvements in scalability and efficiency. That investment doesn’t just benefit one organisation – it strengthens a piece of open source infrastructure that many operators and end users depend on every day.”
– Suzanne Goldlust, Marketing Manager, ISC
Why is Nominet backing this work?
Across all these projects, a common message has emerged in our conversations with teams: limited funding for long term maintenance and behind the scenes improvements to open source DNS threatens the security and resilience of the internet. The Nominet DNS Fund was created to support to organisations working in the public interest on DNS and related open source technologies.
To shape the programme, an expert advisory panel was created. It features a range of independent experts from across the internet and open source community, including experts from ICANN, Sovereign Tech Agency, Linux Foundation, and Nominet membership. Their role is to assess all applications and recommend the proposals that meaningfully strengthen the foundation of the internet.
The internet depends on underlying infrastructure that is robust, secure and well maintained. The organisations supported through the Nominet DNS Fund are carrying out essential work that most people never see – yet everyone depends on when they go online. Our aim is to back projects that improve security, resilience and trust across the DNS. This aligns with a public benefit approach that supports the internet ecosystem and technical communities.
This first tranche of funding is only the beginning, and we are on a learning journey to improve how we approach this funding. Later this year, we will open the next Nominet DNS Fund application window – inviting further proposals from organisations that are working to protect, strengthen or evolve the DNS and its related open source technologies. Sign up for alerts on our website for updates and get in touch if you have feedback.