The OpenDNSSEC project

OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones. The goal of the project is to make DNSSEC easy to deploy. The project is Open Source and intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

SoftHSM 2.6.1

SoftHSM version 2.6.1 was released on 2020-04-29.


  • Issue #542: Support Ed448/X448 for OpenSSL.
  • Issue #538: Improved warning and compilation issues for GCC10
  • Issue #527: Fixed compilation issues for MacOS 10.15.4/Xcode 11.4
  • Download:

SoftHSM 2.6.0

SoftHSM version 2.6.0 was released on March 17. This is mostly a continued development of SoftHSMv2, and thus should replace the 2.5 branch to receive any patches.

Even though this is continuation of the development, we should point out that we have upgraded the optional dependency to Botan to version 2. Other fixes and improvements should not influence existing functionality. For a more complete list of improvements see below and the NEWS file inside the package.

No migration, configuration changes or path changes are necessary and the build configuration should not need changing.


  • Issue #493: Upgrade to Botan 2.
  • Issue #530: Update appveyor build.
  • Issue #438: Detect crypto algorithms by default. (Patch from Alon Bar-Lev)
  • Issue #455: Provide a new configuration option to allow enabling and disabling various mechanisms (slots.mechanisms in the softhsm2.conf). (Thanks to Jakub Jelen)
  • Issue #479: Increase SQLite busy timeout from 15 seconds to 3 minutes. (Patch from Jan Luebbe)
  • Issue #513: Add configuration option to reset state on fork closing all sessions rather than keeping all sessions open in duplicate process. (Thanks to Anderson Toshiyuki Sasaki)
  • Issue #500: C_WaitForSlotEvent implementation. (Patch from massey101)
  • Issue #445: Add wrap support with CKM_AES_CBC.


  • Issue #418: Set fields to NULL to avoid double free. (Patch from Brian J Murray)
  • Issue #423: ENGINE_load_rdrand is not supported with older openssl. (Patch from Alon Bar-Lev)
  • Issue #429: Updated prerequisite to build from repository. (Patch from Dharmesh Khandelwal)
  • Issue #434: Fix build issues with CMake. (Patch from Peter Wu)
  • Issue #435: Fix botan build without EDDSA. (Patch from Peter Wu)
  • Issue #442: Release resources from OSSLEVPSymmetricAlgorithm. (Patch from Petr Menšík)
  • Issue #449/#502: Do not copy zero sized buffer avoid null pointer reference. (Patch from space88man)
  • Issue #464: Race condition with multiple threads closing last session and opening a newer sessions. (Patch from Takarth)
  • Issue #452: Fixes to automake build fir undefined macros.
  • Issue #462: User PIN count wrongly calculated. (Patch from Ondřej Hlavatý)
  • Issue #516: Fix memory leak in OSSLCryptoFactory. (Patch from Anderson Sasaki)
  • Issue #494: Allow null pointers as arguments when count is zero. (Patch from Yunjong Jeong)
  • Issue #518: Sporadic problem in closing sessions because of lookup of object without prior locking.
  • Issue #506: Check key type for C_EncryptInit and C_DecryptInit. (Patch from Yunjong Jeong)
  • Issue #526: Adjust EDDSA code to return valid EC_PARAMS. (Patch from Jakub Jelen)
  • Issue #452: Autogen failure on undefined macro AC_MSG_ERROR.
  • Issue #527: Fixed some build errors for GCC 10.
  • Issue #470: Null pointer arguments validation for C_EncryptFinal, etc.


OpenDNSSEC 2.1.6

Version 2.1.6 of OpenDNSSEC has been released on 2020-02-10.


This release of 2.1.6 fixes some issues regarding the key list wrongfully displayed (a regression bug in 2.1.5) as well as a small leak in the enforcer (which can add up when you bang the enforcer with a lot of commands). And as well as a serious signing error when using Combined Signing Keys (CSKs), this is only relevant if you combine KSK and ZSK in one. Especially users of CSKs need this fix now. Another nice fix is a reconnect to a MySQL/MariaDB database you you don’t have to tweak database parameters

The 2.1.6 release is available immediately from the download site.


  • OPENDNSSEC-913: verify database connection upon every use.
  • OPENDNSSEC-944: bad display of date of next transition (regression)
  • SUPPORT-250: missing signatures on using combined keys (CSK)
  • OPENDNSSEC-945: memory leak per command to enforcer.
  • OPENDNSSEC-946: unclean enforcer exit in case of certain config problems.
  • OPENDNSSEC-411: set-policy command to change policy of zone (experimental). Requires explicit enforce command to take effect.