OpenDNSSEC 1.0.0rc3

Version 1.0.0rc3 of OpenDNSSEC has now been released. This should be the last release candidate before 1.0.0.


  • ods-ksmutil: The ksk-roll command did not handle its options correctly
  • Auditor: Configured zone SOA TTL now used to track pre-published keys, rather than the unsigned zone SOA TTL.
  • Enforcer: There was a flaw in the implementation of the timing code (it  follows an earlier version of the draft and at one point does not add on the safety margin).
  • Enforcer: MySQL memory leaks fixed.
  • Signer Engine: When changing policy or rollover a key, the old signed zone was not found, so always resulting in a fresh resign.
  • Signer Engine: RRsets with varying TTLs on the records where considered different RRsets, the signer engine now eqaulizes those TTLs.


  • A code review was performed by members of the project group. No serious problem was found. The code review resulted in some polishing of the code.
  • Dnsruby-1.42 is now required, it fixes issues with TXT and NAPTR record parsing.
  • ldns 1.6.4 is now required.
  • Known issues has been moved from NEWS to KNOWN_ISSUES.

Download the tarball from: opendnssec-1.0.0rc3.tar.gz

Comments are closed.