OpenDNSSEC 1.3.0

Version 1.3.0 of OpenDNSSEC has now been released.

Changes between 1.3.0 and 1.3.0rc3

  • Include simple-dnskey-mailer-plugin in dist.
  • Enforcer: Change message about KSK retirement to make it less confusing.


  • ods-control: If the Enforcer did not close down, you entered an infinite loop.
  • Signer Engine: Fix log message typos.
  • Signer Engine: Fix crash where ods-signer update
  • Signer Engine: Also replace DNSKEYs if <DNSKEY><TTL> has changed in policy.
  • Zonefetcher: Sometimes invalid ‘Address already in use’ occurred.
  • Bugfix #247: Fixes bug introduced by bugfix #242.

Download the tarball from: opendnssec-1.3.0.tar.gz


Summery of changes between 1.3.0 and 1.2 branch

  • Support for signing the root. Use the zone name “.”
  • <SkipPublicKey/> is enabled for SoftHSM in the default configuration. It improves the performance by only using the private key objects.
  • Document the <RolloverNotification> tag in conf.xml.
  • Match the names of the signer pidfile and enforcer pidfile.
  • Include check for resign < resalt in ods-kaspcheck.
  • Do not distribute trang.
  • Include simple-dnskey-mailer-plugin in dist.
  • Enforcer: Stop import of policy if it is not consistent.
  • ods-signer: The queue command will now also show what tasks the workers are working on.
  • Signer Engine: Just warn if occluded zone data was found, don’t stop signing process.
  • Signer Engine: Simpler serial maintenance, reduces the number of conflicts. Less chance to hit a ‘cannot update: serial too small’ error message.
  • Signer Engine: Simpler NSEC(3) maintenance.
  • Signer Engine: Temperate the number of backup files.
  • Signer Engine: Set number of <SignerThreads> in conf.xml to get peak performance from HSMs that can handle multiple threads.


  • Bugreport #139: ods-auditor fails on root zone.
  • Bugreport #198: Zone updates ignored?
  • Bugreport #231: Fix MySQL version check.
  • Replace tab with white-space when writing to syslog.
  • Fix test for java executable and others.
  • Enforcer: ‘make check’ now works.
  • Enforcer: Fixed some memory leaks in the tests.
  • ods-ksmutil: Update now sends a HUP to the enforcerd.
  • Signer Engine: Do not block update command while signing.
  • Signer Engine: The default working directory was not specified.
  • Signer Engine: Also replace DNSKEYs if <DNSKEY><TTL> has changed in policy.

Comments are closed.