Welcome to OpenDNSSEC

The OpenDNSSEC project announces the development of Open Source software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

The latest news about OpenDNSSEC can be found below!

OpenDNSSEC 1.4.10

Version 1.4.10 of OpenDNSSEC has been released on May 2nd, 2016.


This release fix targets stability issues which have had a history nad had been hard to reproduce.  Stability should be improved, running OpenDNSSEC as a long term service.

Changes in TTL in the input zone that seem not to be propagated, notifies to slaves under load that where not handled properly and could lead to assertions.  NSEC3PARAM that would appear duplicate in the resulting zone, and crashes in the signer daemon in seldom race conditions or re-opening due to a HSM reset.

No migration steps needed when upgrading from OpenDNSSEC 1.4.9.

Also have a look at our OpenDNSSEC 2.0 beta release, its impending release will help us forward with new development and signal phasing out historic releases.


  • SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed zone.
    After a resalt the signer would fail to remove the old NSEC3PARAM RR until a manual resign or incoming transfer.
    Old NSEC3PARAMS are removed when inserting a new record, even if they look the same.
  • OPENDNSSEC-725: Signer did not properly handle new update while still distributing notifies to slaves.
    An AXFR disconnect looked not to be handled gracefully.
  • SUPPORT-171: Signer would sometimes hit an assertion using DNS output adapter when .ixfr was missing or corrupt but .backup file available.
  • Above two issues also in part addresses problems with seemingly corrected backup files (SOA serial). Also an crash on badly configured DNS output adapters is averted.
  • The signer daemon will now refuse to start when failed to open a listen socket for DNS handling.
  • OPENDNSSEC-478 OPENDNSSEC-750 OPENDNSSEC-581 OPENDNSSEC-582 SUPPORT-88: Segmentation fault in signer daemon when opening and closing hsm multiple times.
    Also addresses other concurrency access by avoiding a common context to the HSM (a.k.a. NULL context).
  • OPENDNSSEC-798: Improper use of key handles across hsm reopen, causing keys not to be available after a re-open.
  • SUPPORT-186: IXFR disregards TTL changes, when only TTL of an RR is changed.
    TTL changes should be treated like any other changes to records.
  • When OpenDNSSEC now overrides a TTL value, this is now reported in the log files.


SoftHSM 2.1.0

Version 2.1.0 of SoftHSM has been released.


  • Issue #136: Improved guide and build scripts for Windows. (Thanks to Jaroslav Imrich)
  • Issue #144: The password prompt in softhsm2-util can now be interrupted (ctrl-c).
  • Issue #166: Add slots.removable config option. (Patch from Sumit Bose)
  • Issue #180: Windows configure script improvements. (Patch from Arnaud Grandville)

Bug fixes:

  • Issue #128: Prioritize the return values in C_GetAttributeValue. (Patch from Nicholas Wilson
  • Issue #129: Fix errors reported by Visual Studio 2015. (Patch from Jaroslav Imrich)
  • Issue #132: Handle the CKA_CHECK_VALUE correctly for certificates and symmetric key objects.
  • Issue #154: Fix the Windows build and destruction order of objects. (Patch from Arnaud Grandville)
  • Issue #162: Not possible to create certificate objects containing CKA_CERTIFICATE_CATEGORY, CKA_NAME_HASH_ALGORITHM, or CKA_JAVA_MIDP_SECURITY_DOMAIN.
  • Do not attempt decryption of empty byte strings. (Patch from Michal Kepien)
  • Issue #165: Minor changes after a PVS-Studio code analysis, and C_EncryptUpdate crash if no ciphered data is produced. (Patch from Arnaud Grandville)
  • Issue #169: One-byte buffer overflow in call to EVP_DecryptUpdate.
  • Issue #171: Problem while closing library that is initialized but improperly finalized.
  • Issue #173: Adjust return values for the template parsing.
  • Issue #174: C_DeriveKey() error with leading zero bytes.
  • Issue #177: CKA_NEVER_EXTRACTABLE set to CK_FALSE on objects created with C_CreateObject.
  • Issue #182: Resolve compiler warning. (Patch from Josh Datko)
  • Issue #184: Stop discarding the global OpenSSL libcrypto state. (Patch from Michal Trojnara)
  • SOFTHSM-123: Fix library cleanup on BSD.



OpenDNSSEC 1.4.9

Version 1.4.9 of OpenDNSSEC has now been released.


The main motivations for this release are bug fixes related to use cases with large number of zones (more than 50 zones) in combination with an XFR based setup. Too much concurrent zone transfers causes new transfers to be held back. These excess transfers however were not properly scheduled for later.

No migration steps needed when upgrading from OpenDNSSEC 1.4.8.


  • Add TCP waiting queue. Fix signer getting ‘stuck’ when adding many zones at once. Thanks to Håvard Eidnes to bringing this to our attention.
  • OPENDNSSEC-723: received SOA serial reported as on disk.
  • Fix potential locking issue on SOA serial.
  • Crash on shutdown. At all times join xfr and dns handler threads.
  • Make handling of notifies more consistent. Previous implementation would bounce between code paths.