Welcome to OpenDNSSEC

The OpenDNSSEC project announces the development of Open Source software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

The latest news about OpenDNSSEC can be found below!

Algorithm Rollover in OpenDNSSEC 1.3

Changing signature algorithms in DNSSEC is a different process than normal key rollovers. OpenDNSSEC currently does not support performing rolls to another algorithm. The only safe way to do it would be to retract your DS record and go insecure for a short while. However, we now worked out a way to do an algorithm rollover with OpenDNSSEC 1.3 while keeping the zone properly signed and without the need to take the signer daemon offline. Service downtime should not be needed.


Version of OpenDNSSEC has now been released.


  • Support for RFC5011 style KSK rollovers. KSK section in the KASP now accepts element.
  • Enforcer: New repository option allows to generate keys with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped and extracted from HSM.


  • SUPPORT-145: EOF handling an ARM architecture caused signer to hang.
  • Fixed signer hitting assertion on short reply XFR handler.
  • Include revoke bit in keytag calculation.
  • Increased stacksize on some systems (thanks Patrik Lundin!).
  • Stop ods-signerd on SIGINT.


  • By error 1.4.8 did not include database migration scripts for upgrading existing installations. resolves this issue.


SoftHSM 2.0.0

Version 2.0.0 of SoftHSM has been released. More updates and bug fixes can be found in the alpha and beta release notes.


  • SOFTHSM-121: Test cases for C_DecryptUpdate/C_DecryptFinal.
  • Support C_DecryptUpdate/C_DecryptFinal for symmetric algorithms. (Patch from Thomas Calderon

Bug fixes:

  • SOFTHSM-120: Segfault after renaming variables.