The OpenDNSSEC project

OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones. The goal of the project is to make DNSSEC easy to deploy. The project is Open Source and intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

SoftHSM 2.5.0

Version 2.5.0 of SoftHSM has been released.


  • Issue #323: Support for EDDSA with vendor defined mechanisms.
    (Patch from Francis Dupont)
  • Issue #362: CMake Build System Support for SoftHSM.
    (Patch from Constantine Grantcharov)
  • Issue #368: Support migrating 32-bit SoftHSMv1 DB on 64-bit system (LP64).
  • Issue #385: Default is not to build EDDSA since it has not been released in OpenSSL.
  • Issue #387: Windows: Add VS2017 detection to
    (Patch from Jaroslav Imrich)
  • Issue #412: Replace PKCS11 headers with a version from p11-kit.
    (Patch from Alexander Bokovoy)


  • Issue #366: Support cross-compilation.
    (Patch from Michael Weiser)
  • Issue #377: Duplicate symbol error with custom p11test.
  • Issue #386: Use RDRAND in OpenSSL if that engine is available.
  • Issue #388: Update DBTests.cpp to fix x86 test failure.
    (Patch from tcely)
  • Issue #393: Not setting CKA_PUBLIC_KEY_INFO correctly.
    (Patch from pkalapat)
  • Issue #401: Wrong key and keyserver mentioned in installation documentation.
    (Patch from Berry A.W. van Halderen)
  • Issue #408: Remove mutex callbacks after C_Finalize().
    (Patch from Alexander Bokovoy)


SoftHSM 2.4.0

Version 2.4.0 of SoftHSM has been released.


  • Issue #135: Support PKCS#8 for GOST.
  • Issue #140: Support for CKA_ALLOWED_MECHANISMS.
    (Patch from Brad Hess)
  • Issue #141: Support CKA_ALWAYS_AUTHENTICATE for private key objects.
  • Issue #220: Support for CKM_DES3_CMAC and CKM_AES_CMAC.
  • Issue #226: Configuration option for Windows build to enable build with static CRT (/MT).
  • Issue #325: Support for CKM_AES_GCM.
  • Issue #334: Document that initialized tokens will be reassigned to another slot (based on the token serial number).
  • Issue #335: Support for CKM_RSA_PKCS_PSS.
    (Patch from Nikos Mavrogiannopoulos)
  • Issue #341: Import AES keys with softhsm2-util.
    (Patch from Pavel Cherezov)
  • Issue #348: Document that OSX needs pkg-config to detect cppunit.
  • Issue #349: softhsm2-util will check the configuration and report any issues before loading the PKCS#11 library.


  • Issue #345: Private objects are presented to security officer in search results.
  • Issue #358: Race condition when multiple applications are creating and reading object files.


OpenDNSSEC 2.1.3

Version 2.1.3 of OpenDNSSEC has been released on 2017-08-10.


As of today version 2.1.3 of OpenDNSSEC has been released. No special migration steps are required when upgrading from a previous 2.x.x release. It includes fixes to the build system, some regressions w.r.t. OpenDNSSEC 1.4 and a signing bug.

Build fixes

  • OPENDNSSEC-904: autoconfigure fails to properly identify functions in ssl library on some distributions. This caused the “tsig unknown algorithm hmac-sha256″ error.
  • OPENDNSSEC-894: repair configuration script to allow excluding the build of the enforcer.


  • OPENDNSSEC-508: Tag RolloverNotification was not functioning correctly
  • OPENDNSSEC-901: Enforcer would ignore ManualKeyGeneration tag in conf.xml
  • OPENDNSSEC-906: Tag AllowExtraction tag included from late 1.4 development

Bugs Fixed

  • OPENDNSSEC-886: Improper time calculation on 32 bits machine causes purge of keys not being scheduled. The purge would happen but some time later than expected.
  • OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus signatures.
  • OPENDNSSEC-908: Warn when TTL of resource record exceeds KASP’s MaxZoneTTL. Formerly the signer would cap such TTLs to prevent situations where those records could get bogus during ZSK rollover. However it has been realized that this can potentially lead to failing IXFRs. We intend to bring back this feature in the near future when our internal data representation allows this.