Home / Industry

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Verisign is pleased to announce the public introduction of getdns at The Next Web in Amsterdam (TNWEurope) April 23-24, 2014. Verisign Labs and NLNet Labs in collaboration have developed getdns, an open source implementation of the getdns-api application programming interface (api) specification.

At The Next Web, getdns is one of the challenge APIs in a 36-hour Hack Battle. Multiple teams of application coding experts are using getdns to develop innovative applications that leverage the global security infrastructure available through DNS Security Extensions (DNSSEC).

Several years of community and researcher effort have led up to this introduction. The modernized, extensible DNS API specification was developed by a volunteer team of Web applications developers—the contributors included people specializing in instant messaging programs, Web browsers, and social networking systems. Its novel goal was to offer DNS programming calls adapted to the use of application developers, allowing full access to the power of the DNS ecosystem without requiring the applications developers to be deep experts in the DNS protocol.

Paul Hoffman, an application security consultant, edited the API and Verisign Labs joined in the fun over a year ago, several months before the first publication. Once it was published, we invited NLNet Labs to join us in creating an open source implementation for widespread public distribution, getdns. Hoffman and the community then updated the specification to address discoveries we made during implementation. In February 2014, we unveiled early beta code for review and in the months since we have also released an early port of getdns to iOS, and beta versions of node.js and Python language bindings. Source repositories are publicly available on github.

At its heart, getdns makes use of the DNS protocol processing of the NLNet Labs Unbound open source—Unbound is a widely used, DNS Security Extensions (DNSSEC)-centric implementation of the DNS standards. We reflect this in the phrase “Unbound Security” in the getdns logo. The double meaning: removal of the bounds that have kept applications from easy access to a global security infrastructure in the DNS.

getdns provides easy access to the powerful evolving capabilities of DNS, including the DNSSEC and DNS-based Authentication of Named Entities (DANE). In the common DNS APIs, found on most computers, the calls were last updated in 2000 (to add IPv6 addresses). With getdns, programmers can access the modern DNS. Notably, with one function call, programs can elect to perform DNSSEC validation, while still making use of the resources of their enterprise or ISP DNS resolver. getdns offers a simple set of choices, a clean abstraction of the extensive support provided by Unbound underneath.

Due to the aging of the common APIs for DNS, the powerful, modern capabilities of the system have been underutilized. This situation has contributed to the perception by some that DNS is onerous and insufficiently speedy. Another key deliverable of getdns is default asynchronous access to DNS. In the common DNS APIs, when a query is sent to the DNS, another query will not be sent until the response for the first one has been received. The getdns implementation allows programmers to select their favorite programming library for asynchronous processing, and then to send arbitrary numbers of DNS queries while waiting for responses to arrive.

Consider what this means: before your Web browser loads a Web page for the first time, it requests the look up of typically hundreds of domain names, both for the initial page and to “pre-fetch” information that you may want soon after. Instead of doing these lookups one after another, an asynchronous API means that the queries are processed as rapidly as the domain servers can reply to them.

We are at the start of a promising new chapter in the tale of the mighty domain name ecosystem. As the getdns launch continues, I look forward to bringing you more updates, including results from the TNWEurope Hack Battle. Watch this space.

By Verisign, A Global Provider of Critical Internet Infrastructure and Domain Name Registry Services

Verisign, a global provider of domain name registry services and internet infrastructure, enables internet navigation for many of the world’s most recognized domain names. Verisign enables the security, stability, and resiliency of key internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce. To learn more about what it means to be Powered by Verisign, please visit Verisign.com.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC


Sponsored byVerisign

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global