Updates:

• OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for  a key is changed in a policy (as this rollover is not handled cleanly)
• OPENDNSSEC-91: Make the keytype flag required when rolling keys
• OPENDNSSEC-403: Signer Engine: new command ‘ods-signer locks’ that shows  locking information (for debugging purposes).

Bugfixes:

• OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA  Minimum change.
• OPENDNSSEC-396: Use TTLs from kasp when generating DNSKEY and DS records for  output.
• OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly  when rolling all keys using the –policy option
• SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.

Documentation:

• OpenDNSSEC v1.3 Documentation

Download:

• opendnssec-1.3.14.tar.gz
• opendnssec-1.3.14.tar.gz.sig
• Checksum sha1: 9e6be8b42ab25cf1984f00326d44d0c195e00ef2
• Checksum sha256: 04016069f980191fac446ccab51f06bc7969d7544997c9e538ca1c170c2f42f5

Updates since 1.4.0rc3:

• Production release of 1.4
• Versioning scheme and release support policies updated
• Summary of changes in 1.4  vs 1.3 can be found on the wiki:
  New in OpenDNSSEC 1.4

Documentation:

• OpenDNSSEC Documentation

Download:

• opendnssec-1.4.0.tar.gz
• opendnssec-1.4.0.tar.gz.sig
• Checksum sha1: 111a6de4bb8f13bcedc31880c87588ce07eecc31
• Checksum sha256: 36d4926dcdf351a527ad7600b151ab6cc56d0a472a7eb8871eecd70afef9e101

Updates:

• Further testing of OPENDNSSEC-387 completed, release returned to rc status.

Documentation:

• OpenDNSSEC V1.4 Documentation
• New in OpenDNSSEC 1.4

Download:

• opendnssec-1.4.0rc3.tar.gz
• opendnssec-1.4.0rc3.tar.gz.sig
• Checksum sha1: 9b824bd8be628a77daa8afd0079052978b10029b
• Checksum sha256: 7b572604522218125f800af59dfd33667c6cbc92ebaea3ef0dcd2edb8a0a4443

*NOTE: This release is marked as a beta release (rather than rc3) due to OPENDNSSEC-387, which is a significant functional change compared to rc2.

Updates:

• OPENDNSSEC-387: Rollback of multi-threaded enforcer. Due to key allocation issues the usefulness of the threaded enforcer is outweighed by the code complications. The option still remains in conf.xml for compatibility with existing use; but it will now be silently ignored.

Bugfixes:

• OPENDNSSEC-388: Signer Engine: Internal serial should take into account the inbound serial.
• SUPPORT-50/51: Signer Engine: Inbound DNS Adapter incorrectly updates NSEC3PARAM and DNSKEY RRset [OPENDNSSEC-389]
• OPENDNSSEC-389: Input DNS Adapter incorrectly updating NSEC3PARAM and DNSKEY RRsets

Documentation:

• OpenDNSSEC V1.4 Documentation
• New in OpenDNSSEC 1.4

Download:

• opendnssec-1.4.0b3.tar.gz
• opendnssec-1.4.0b3.tar.gz.sig
• Checksum sha1: c549c2e0c6e08ac7ed79e1d2999c4ccfd7cf481f
• Checksum sha256: b1b5fe88fad3c8517b6921de50f88d6d8ce5b0c102ca5b0d4597b5420b44254b

**NOTE: This release is signed with the new OpenDNSSEC Distribution key (2013) available from: https://wiki.opendnssec.org/display/OpenDNSSEC/PGP

Bugfixes:

• OPENDNSSEC-388: Signer Engine: Internal serial should take into account  the inbound serial.
• OPENDNSSEC-242: Signer Engine: Could get stuck on load signconf while  signconf was not changed.
• Signer Engine: Fixed locking and notification on the drudge work queue,  signals could be missed so that drudgers would stall when there was work to  be done.

Download:

• opendnssec-1.3.13.tar.gz
• opendnssec-1.3.13.tar.gz.sig
• Checksum sha1: b71bf152efc07c9373f66498d14abb59ffb229d2
• Checksum sha256: 4d587882ffc68bca56d96807592366d1a87147d0b8aa518ccfd85b694c889a3f

**NOTE: This release is signed with the new OpenDNSSEC Distribution key (2013) available from: https://wiki.opendnssec.org/display/OpenDNSSEC/PGP

Updates:

• OPENDNSSEC-350: Signer Engine: Better log message when IXFR is not ready for reading.
• OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for a key is changed in a policy (as this rollover is not handled cleanly)

Bugfixes:

• SUPPORT-44: Signer Engine: Drop privileges after binding to socket [OPENDNSSEC-364].
• Signer Engine: XFR not ready should not be a fatal status for task read (thanks Ville Mattila).
• OPENDNSSEC-365: Enforcer: Nasty bug where KSKs could get prematurely retired.

Documentation:

• OpenDNSSEC V1.4 Documentation
• New in OpenDNSSEC 1.4

Download:

• opendnssec-1.4.0rc2.tar.gz
• opendnssec-1.4.0rc2.tar.gz.sig
• Checksum sha1: 693fc66d81c39cb4856df59dee518d1224bf5a0f
• Checksum sha256: 0ac30e31f1bd391bc11387e9695918e63a6eb5c707fbe472c580871cd7920bf8

Updates:

• OPENDNSSEC-359: Remove eppclient

Documentation:

• OpenDNSSEC V1.4 Documentation
• New in OpenDNSSEC 1.4

Download the tarball from: opendnssec-1.4.0rc1.tar.gz

Updates:

• ods-ksmutil: Deprecate the one-step ‘key backup’ command
• OPENDNSSEC-292: Provide scripts to convert database between different supported formats
• OPENDNSSEC-299: ods-ksmutil: ods-ksmutil <enter> now includes policy import
• OPENDNSSEC-300: ods-ksmutil: policy purge documented with a warning
• OPENDNSSEC-315: “ods-hsmutil logout” will delete any credentials in the  shared memory.
• OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL should be set to zero.
• OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
• OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process

Bugfixes:

• SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
• OPENDNSSEC-349: Enforcer: Fix some memory leaks in the enforcer found by valgrind.
• OPENDNSSEC-353: Signer Engine: Add/remove NSEC3s for empty non-terminals between apex and  delegation when DS is added/removed.
• Signer Engine: Fixed locking and notification on the drudge work queue, signals could be missed  so that drudgers would stall when there was work to be done.
• libhsm: Fixed PIN handling on OpenBSD.
• Enforcer: If enabled enforcer workers and configured number of workers is 1,  make sure that enforcer runs the signer update command after signer  configuration change.
• Signer Engine: Don’t add double RRSIGs generated by the same key for the  DNSKEY RRset.
• Signer Engine: Rollback incompleted zone transfers on disk (could happen  if a connection was reset during transfer).
• Multi-threaded enforcer: various minor fixes including deadlock problems.

Documentation:

• OpenDNSSEC V1.4 Documentation
• New in OpenDNSSEC 1.4

Download the tarball from: opendnssec-1.4.0b2.tar.gz

Bugfixes:

• SUPPORT-42: ./configure fails on FreeBSD (or if ldns is not installed in a directory in the default search path of the complier).
• OpenDNSSEC does not compile against ldns 1.6.16 on platforms that rely on the OpenDNSSEC implementation of strlcpy/cat

Download the tarball from: opendnssec-1.3.12.tar.gz

(Please note that the distribution site has now moved to http://dist.opendnssec.org/source/)

• SOFTHSM-28: Support RSASSA-PSS signature scheme. (Patch from Aleksander Trofimowicz)
• SOFTHSM-29: The default location of the token database is now $localstatedir/lib/softhsm/

Download the tarball from: softhsm-1.3.4.tar.gz