OpenDNSSEC 1.4.0b2

Version 1.4.0b2 of OpenDNSSEC has now been released. This version is recommended for testing only, not for use in production environments.


  • ods-ksmutil: Deprecate the one-step ‘key backup’ command
  • OPENDNSSEC-292: Provide scripts to convert database between different supported formats
  • OPENDNSSEC-299: ods-ksmutil: ods-ksmutil <enter> now includes policy import
  • OPENDNSSEC-300: ods-ksmutil: policy purge documented with a warning
  • OPENDNSSEC-315: “ods-hsmutil logout” will delete any credentials in the  shared memory.
  • OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL should be set to zero.
  • OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
  • OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process


  • SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
  • OPENDNSSEC-349: Enforcer: Fix some memory leaks in the enforcer found by valgrind.
  • OPENDNSSEC-353: Signer Engine: Add/remove NSEC3s for empty non-terminals between apex and  delegation when DS is added/removed.
  • Signer Engine: Fixed locking and notification on the drudge work queue, signals could be missed  so that drudgers would stall when there was work to be done.
  • libhsm: Fixed PIN handling on OpenBSD.
  • Enforcer: If enabled enforcer workers and configured number of workers is 1,  make sure that enforcer runs the signer update command after signer  configuration change.
  • Signer Engine: Don’t add double RRSIGs generated by the same key for the  DNSKEY RRset.
  • Signer Engine: Rollback incompleted zone transfers on disk (could happen  if a connection was reset during transfer).
  • Multi-threaded enforcer: various minor fixes including deadlock problems.


Download the tarball from: opendnssec-1.4.0b2.tar.gz


Comments are closed.