The OpenDNSSEC project

OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones. The goal of the project is to make DNSSEC easy to deploy. The project is Open Source and intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

SoftHSM 2.4.0

Version 2.4.0 of SoftHSM has been released.


  • Issue #135: Support PKCS#8 for GOST.
  • Issue #140: Support for CKA_ALLOWED_MECHANISMS.
    (Patch from Brad Hess)
  • Issue #141: Support CKA_ALWAYS_AUTHENTICATE for private key objects.
  • Issue #220: Support for CKM_DES3_CMAC and CKM_AES_CMAC.
  • Issue #226: Configuration option for Windows build to enable build with static CRT (/MT).
  • Issue #325: Support for CKM_AES_GCM.
  • Issue #334: Document that initialized tokens will be reassigned to another slot (based on the token serial number).
  • Issue #335: Support for CKM_RSA_PKCS_PSS.
    (Patch from Nikos Mavrogiannopoulos)
  • Issue #341: Import AES keys with softhsm2-util.
    (Patch from Pavel Cherezov)
  • Issue #348: Document that OSX needs pkg-config to detect cppunit.
  • Issue #349: softhsm2-util will check the configuration and report any issues before loading the PKCS#11 library.


  • Issue #345: Private objects are presented to security officer in search results.
  • Issue #358: Race condition when multiple applications are creating and reading object files.


OpenDNSSEC 2.1.3

Version 2.1.3 of OpenDNSSEC has been released on 2017-08-10.


As of today version 2.1.3 of OpenDNSSEC has been released. No special migration steps are required when upgrading from a previous 2.x.x release. It includes fixes to the build system, some regressions w.r.t. OpenDNSSEC 1.4 and a signing bug.

Build fixes

  • OPENDNSSEC-904: autoconfigure fails to properly identify functions in ssl library on some distributions. This caused the “tsig unknown algorithm hmac-sha256″ error.
  • OPENDNSSEC-894: repair configuration script to allow excluding the build of the enforcer.


  • OPENDNSSEC-508: Tag RolloverNotification was not functioning correctly
  • OPENDNSSEC-901: Enforcer would ignore ManualKeyGeneration tag in conf.xml
  • OPENDNSSEC-906: Tag AllowExtraction tag included from late 1.4 development

Bugs Fixed

  • OPENDNSSEC-886: Improper time calculation on 32 bits machine causes purge of keys not being scheduled. The purge would happen but some time later than expected.
  • OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus signatures.
  • OPENDNSSEC-908: Warn when TTL of resource record exceeds KASP’s MaxZoneTTL. Formerly the signer would cap such TTLs to prevent situations where those records could get bogus during ZSK rollover. However it has been realized that this can potentially lead to failing IXFRs. We intend to bring back this feature in the near future when our internal data representation allows this.


SoftHSM 2.3.0

Version 2.3.0 of SoftHSM has been released.


  • Issue #130: Upgraded to PKCS#11 v2.40.
    • Minor changes to some return values.
    • Added CKA_DESTROYABLE to all objects. Used by C_DestroyObject().
    • Added CKA_PUBLIC_KEY_INFO to certificates, private, and public key objects. Will be accepted from application, but SoftHSM will currently not calculate it.
  • Issue #142: Support for CKM_AES_CTR.
  • Issue #155: Add unit tests for SessionManager.
  • Issue #189: C_DigestKey returns CKR_KEY_INDIGESTIBLE when key attribute CKA_EXTRACTABLE = false. Whitelist SHA algorithms to allow C_DigestKey in this case.
  • Issue #225: Show slot id after initialization.
  • Issue #247: Run AppVeyor (Windows CI) for each PR and merge.
  • Issue #257: Set CKA_DECRYPT/CKA_ENCRYPT flags on key import to true. (Patch from Martin Domke)
  • Issue #261: Add support for libeaycompat lib for FIPS on Windows. (Patch from Matt Hauck)
  • Issue #262: Support importing ECDSA P-521 in softhsm-util.
  • Issue #276: Support for Botan 2.0.
  • Issue #279: Editorial changes from Mountain Lion to Sierra. (Patch from Mike Neumann)
  • Issue #283: More detailed error messages when initializing SoftHSM.
  • Issue #285: Support for LibreSSL. (Patch from Alon Bar-Lev)
  • Issue #286: Update .gitignore. (Patch from Alon Bar-Lev)
  • Issue #291: Change to enable builds and reports on new Jenkinks environment.
  • Issue #293: Detect cppunit in autoconf. (Patch from Alon Bar-Lev)
  • Issue #309: CKO_CERTIFICATE and CKO_PUBLIC_KEY now defaults to CKA_PRIVATE=false.
  • Issue #314: Update README with information about logging.
  • Issue #330: Adjust log levels for failing to enumerate object store. (Patch from Nikos Mavrogiannopoulos)


  • Issue #216: Better handling of CRYPTO_set_locking_callback() for OpenSSL.
  • Issue #265: Fix deriving shared secret with ECC.
  • Issue #280: HMAC with sizes less than L bytes is strongly discouraged. Set a lower bound equal to L bytes in ulMinKeySize and check it when initializing the operation.
  • Issue #281: Fix test of p11 shared library. (Patch from Lars Silvén)
  • Issue #289: Minor fix of ‘EVP_CipherFinal_ex’. (Patch from Viktor Tarasov)
  • Issue #297: Fix build with cppunit. (Patch from Ludovic Rousseau)
  • Issue #302: Export PKCS#11 symbols from the library. (Patch from Ludovic Rousseau)
  • Issue #305: Zero pad key to fit the block in CKM_AES_KEY_WRAP.
  • Issue #313: Detecting CppUnit when using Macports. (Patch from mouse07410)