The OpenDNSSEC project
OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones. The goal of the project is to make DNSSEC easy to deploy. The project is Open Source and intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.
OpenDNSSEC 2.1.12
Version 2.1.12 of OpenDNSSEC has been released on 2022-11-08.
News
This is a maintenance release of OpenDNSSEC addressing additional issues relating to the previous bug-fix release. Both installations that use shared keys or want to use salt lengths of zero must use this release. Other installations will benefit to from better reporting in case of issues.
RPM for RHEL/CentOS, deb and tgz packages will be provided for at the same download location.
Issues
- Ensure debug symbols on RPM-style builds;
- Bug fix that prevented restoring state from when salt length was zero;
- Bug fix for enforcer daemon crash after deleting key on some systems.
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.12.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.12.tar.gz.sig
- Checksum SHA256: 50d7b9b0ccfc6a502784606ca4e5c03680fcf6425fb3947f45d8809ea8503e59
- RPMs for RHEL/CentOS and Debian package
OpenDNSSEC 2.1.11
Version 2.1.11 of OpenDNSSEC has been released on 2022-10-17.
News
This is a maintenance release of OpenDNSSEC addressing a number of different issues. Installation that use shared keys should migrate to this version especially. Also installations that want to migrate to a NSEC3 salt of length 0 will benefit (this applies to migration-to only).
RPM for RHEL/CentOS, deb and tgz packages will be provided for at the same download location.
Issues
- Fixed improper re-use of already used keys when using
as a consequence of previous bug in 2.1.6; - Improved reporting upon aborts of daemon process;
- Fix for migration to salt of length 0;
- Fix for empty IXFR cases;
- Degraded log message key_update_failed because this action is retried.
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.11.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.11.tar.gz.sig
- Checksum SHA256: 7dd7e305f74d877586e8bb25c4e3f8069472c6a195fc33a5d9e6f8499154d453
- RPMs for RHEL/CentOS and Debian package (to be provided)
OpenDNSSEC 2.1.10
Version 2.1.10 of OpenDNSSEC has been released on 2021-09-10.
News
This release addresses an automatic re-salting after a migration from 1.4
and an error manifesting as a key_data_update failure in the logs where
a retired key wasn’t removed from the signer configuration in time in
certain circumstances.
Also an RPM is now provided for RHEL/CentOS distros at the same download
location.
Issues
- OPENDNSSEC-955: Prevent concurrency between certain valid PKCS#11 HSM operations to avoid some keys to be (transiently) unavailable.
- OPENDNSSEC-956: Harden signing procedure to still sign zones for which there are unused keys specified in the zone which are unavailable.
- OPENDNSSEC-957: Fix exit code signer daemon to not always report failure.
- OPENDNSSEC-958: Fix immediate resalting after migration from 1.4.
- OPENDNSSEC-959: Emit warning on ods-kaspcheck for NSEC iteration count that is deemed too high.
- SUPPORT-265: Resolve conflict when deleting keys from HSM whilst also performing step in key roll process. Typically a message “key_data_update failed” is present in logs.
- Provided RedHat/CentOS spec file in contrib directory.
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.10.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.10.tar.gz.sig
- Checksum SHA256: c0a8427de241118dccbf7abc508e4dd53fb75b45e9f386addbadae7ecc092756
- RPMs for RHEL/CentOS
