The OpenDNSSEC project

OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones. The goal of the project is to make DNSSEC easy to deploy. The project is Open Source and intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

OpenDNSSEC 2.1.6

Version 2.1.6 of OpenDNSSEC has been released on 2020-02-10.


This release of 2.1.6 fixes some issues regarding the key list wrongfully displayed (a regression bug in 2.1.5) as well as a small leak in the enforcer (which can add up when you bang the enforcer with a lot of commands). And as well as a serious signing error when using Combined Signing Keys (CSKs), this is only relevant if you combine KSK and ZSK in one. Especially users of CSKs need this fix now. Another nice fix is a reconnect to a MySQL/MariaDB database you you don’t have to tweak database parameters

The 2.1.6 release is available immediately from the download site.


  • OPENDNSSEC-913: verify database connection upon every use.
  • OPENDNSSEC-944: bad display of date of next transition (regression)
  • SUPPORT-250: missing signatures on using combined keys (CSK)
  • OPENDNSSEC-945: memory leak per command to enforcer.
  • OPENDNSSEC-946: unclean enforcer exit in case of certain config problems.
  • OPENDNSSEC-411: set-policy command to change policy of zone (experimental). Requires explicit enforce command to take effect.


OpenDNSSEC 2.1.5

Version 2.1.5 of OpenDNSSEC has been released on 2019-11-05.


The previous release fixed an important issue, but unfortunately left in a memory leak, which this release fixes. This release of 2.1.5 fixes the memory issue, along with some additional issues primarily relating to minor migration reporting and configuration.

The 2.1.5 release is available immediately from the download site. Installations still on the 1.4 release should really upgrade to this version as it has been tested enough by major players.


  • SUPPORT-245: Resolve memory leak in signer introduced in 2.1.4.
  • SUPPORT-244: Don’t require Host and Port to be specified in conf.xml
    when migrating with a MySQL-based enforcer database backend.
  • Allow for MySQL database to pre-exist when performing a migration,
    and be a bit more verbose during migration.
  • Fix AllowExtraction tag in configuration file definition.
  • SUPPORT-242: Skip over EDNS cookie option.
  • SUPPORT-240: Prevent exit of enforcer daemon upon interrupted interaction with CLI commands (when having > 1000 zones and aborting a pipe).
  • Correct some error messages.


OpenDNSSEC 1.4 end-of-life, upgrading and testing versions

OpenDNSSEC 2.1 was released in February 2017, and in the past two-and-half year it has proven itself to be stable and viable upgrade of 1.4, and has additional features and improvements. Therefore we announce end-of-life of OpenDNSSEC 1.4. One of the steps towards future releases of OpenDNSSEC that have better experience and with shorter cycles.

Starting today, October 8, 2019, in accordance with our policies, we will only provide essential fixes and support until 9 October 2020, after which support will no longer be available. We feel confident that existing installations can upgrade without much hassle and offer support to our customers in doing so.

OpenDNSSEC 2.1 serves as the replacement for the 1.4 LTS. The current version is 2.1.4 (download | announcement). There is a migration step necessary, for which you can find a good breakdown at the migration page.

For future releases we will be in contact with the community and interested parties about how to proceed exactly. OpenDNSSEC 2.2 with main feature fast updates has had a number of testing releases that can be found on our distribution server. We do not however expect 2.2 to become an LTS release as on customer feedback, other improvements will lead to a more interesting release on which we can build.