Archive for the ‘Releases’ Category

OpenDNSSEC 2.0.1

Version 2.0.1 of OpenDNSSEC has been released on 2016-07-21.


This release is primarily focused on ironing out the issues on the migration path from 1.4 to 2.0. Besides that there are no functional changes.


  • Fixed crash and linking issue in ods-migrate.
  • Fixed case where 2.0.0 could not read backup files from 1.4.10.
  • Fixed bug in migration script where key state in the database wasn’t transformed properly.


OpenDNSSEC 2.0.0

It gives us pleasure to announce the release of OpenDNSSEC 2.0

OpenDNSSEC got a entire re-write of the enforcer. This part of OpenDNSSEC controls changing signing keys in the right way to perform a roll-over. Before, the enforcer would perform a roll-over according to a strict paradigm. One scenario in which deviations would not be possible.

The new enforcer is more aware of the zone changes being propagated in the Internet. It can therefore decide when it is safe to make changes, rather than to rely upon a given scenario. This makes it possible now for OpenDNSSEC to:

  • Allow changing your TTL values and all other related parameters in your key and signing policy (KASP). OpenDNSSEC will know which outdated records may still be on the Internet due to their TTL and only roll when it is safe.
  • It is possible to safely roll to an unsigned situation, without going bogus.
  • Perform a roll-over procedure at any time, even if a roll-over procedure is still in progress, this way you can abort a roll-over and perform emergency roll-overs.
  • Perform a roll-over to a different signing algorithm. DNSSEC requires the algorithm number of ZSK and KSK to be the same, so a roll-over to a different algorithm requires a different sequence.
  • Since there is no longer a single scenario, it will become possible to perform other roll-over methods, like a double DS roll-over or a double RRSIG roll-over.

These features keep your zone valid even in situations where changing parameters could trap you into a bogus situation. OpenDNSSEC chooses the fastest safe steps to keep (or even heal) your zone. Other features have also been realized in this rewrite:

  • Shared keys, allowing multiple zones to share the most recent signing key for that policy. Useful when having many zones, and a limited storage in your HSM.
  • Combined keys, allow KSK and ZSK to be the same key, also limiting the usage of keys, but also simplify key usage.
  • Also allow zones to pass unsigned. This allows for a chain of software packages where both signed and unsigned zones can follow the same steps in your chain, simplifying the set-up.
  • And the enforcer no longer requires to be run periodically, but runs as a proper daemon which wakes up at the proper time.
  • Allow for multiple HSMs, also allowing you to roll to roll your zone from keys in one HSM to another. Or to store KSK and ZSK separately.
  • This could even be used in set-ups where the key set is signed separately from your zone.
  • And the enforcer daemon can now be queried and given commands using command line channel.

Administratively, there has also been a major change. NLnet Labs has adopted the full development of OpenDNSSEC, where previously it was one of the partners in the project. This ensures a future-safe continued development of OpenDNSSEC. In this respect we will see more features enhancements in quicker release cycles soon.

Some heads-up when trying it out after being used to 1.4:

  • Scripted migration from 1.4 to 2.0 is available, see MIGRATION file
  • Use command ods-enforcer-db-setup rather than “ods-ksmutil setup”
  • Any other use of ods-ksmutil is replaced with the ods-enforcer command, which at the moment requires the enforcer daemon to be running
  • Use ods-enforcer zone add and delete rather than modifying the zonelist.xml file yourself. This file is not kept up-to-date automatically anymore
  • to start using OpenDNSSEC, use ods-enforcer policy import instead of update kasp to update your policies
  • Getting started at: Quick start guide.

Edit: Update from 2.0.0 to 2.0.0-1. Both releases are identical but 2.0.0 lacked some database generation scripts required for migration from 1.4.10.

Download it here:

OpenDNSSEC 1.4.10

Version 1.4.10 of OpenDNSSEC has been released on May 2nd, 2016.


This release fix targets stability issues which have had a history nad had been hard to reproduce.  Stability should be improved, running OpenDNSSEC as a long term service.

Changes in TTL in the input zone that seem not to be propagated, notifies to slaves under load that where not handled properly and could lead to assertions.  NSEC3PARAM that would appear duplicate in the resulting zone, and crashes in the signer daemon in seldom race conditions or re-opening due to a HSM reset.

No migration steps needed when upgrading from OpenDNSSEC 1.4.9.

Also have a look at our OpenDNSSEC 2.0 beta release, its impending release will help us forward with new development and signal phasing out historic releases.


  • SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed zone.
    After a resalt the signer would fail to remove the old NSEC3PARAM RR until a manual resign or incoming transfer.
    Old NSEC3PARAMS are removed when inserting a new record, even if they look the same.
  • OPENDNSSEC-725: Signer did not properly handle new update while still distributing notifies to slaves.
    An AXFR disconnect looked not to be handled gracefully.
  • SUPPORT-171: Signer would sometimes hit an assertion using DNS output adapter when .ixfr was missing or corrupt but .backup file available.
  • Above two issues also in part addresses problems with seemingly corrected backup files (SOA serial). Also an crash on badly configured DNS output adapters is averted.
  • The signer daemon will now refuse to start when failed to open a listen socket for DNS handling.
  • OPENDNSSEC-478 OPENDNSSEC-750 OPENDNSSEC-581 OPENDNSSEC-582 SUPPORT-88: Segmentation fault in signer daemon when opening and closing hsm multiple times.
    Also addresses other concurrency access by avoiding a common context to the HSM (a.k.a. NULL context).
  • OPENDNSSEC-798: Improper use of key handles across hsm reopen, causing keys not to be available after a re-open.
  • SUPPORT-186: IXFR disregards TTL changes, when only TTL of an RR is changed.
    TTL changes should be treated like any other changes to records.
  • When OpenDNSSEC now overrides a TTL value, this is now reported in the log files.


SoftHSM 2.1.0

Version 2.1.0 of SoftHSM has been released.


  • Issue #136: Improved guide and build scripts for Windows. (Thanks to Jaroslav Imrich)
  • Issue #144: The password prompt in softhsm2-util can now be interrupted (ctrl-c).
  • Issue #166: Add slots.removable config option. (Patch from Sumit Bose)
  • Issue #180: Windows configure script improvements. (Patch from Arnaud Grandville)

Bug fixes:

  • Issue #128: Prioritize the return values in C_GetAttributeValue. (Patch from Nicholas Wilson
  • Issue #129: Fix errors reported by Visual Studio 2015. (Patch from Jaroslav Imrich)
  • Issue #132: Handle the CKA_CHECK_VALUE correctly for certificates and symmetric key objects.
  • Issue #154: Fix the Windows build and destruction order of objects. (Patch from Arnaud Grandville)
  • Issue #162: Not possible to create certificate objects containing CKA_CERTIFICATE_CATEGORY, CKA_NAME_HASH_ALGORITHM, or CKA_JAVA_MIDP_SECURITY_DOMAIN.
  • Do not attempt decryption of empty byte strings. (Patch from Michal Kepien)
  • Issue #165: Minor changes after a PVS-Studio code analysis, and C_EncryptUpdate crash if no ciphered data is produced. (Patch from Arnaud Grandville)
  • Issue #169: One-byte buffer overflow in call to EVP_DecryptUpdate.
  • Issue #171: Problem while closing library that is initialized but improperly finalized.
  • Issue #173: Adjust return values for the template parsing.
  • Issue #174: C_DeriveKey() error with leading zero bytes.
  • Issue #177: CKA_NEVER_EXTRACTABLE set to CK_FALSE on objects created with C_CreateObject.
  • Issue #182: Resolve compiler warning. (Patch from Josh Datko)
  • Issue #184: Stop discarding the global OpenSSL libcrypto state. (Patch from Michal Trojnara)
  • SOFTHSM-123: Fix library cleanup on BSD.



OpenDNSSEC 1.4.9

Version 1.4.9 of OpenDNSSEC has now been released.


The main motivations for this release are bug fixes related to use cases with large number of zones (more than 50 zones) in combination with an XFR based setup. Too much concurrent zone transfers causes new transfers to be held back. These excess transfers however were not properly scheduled for later.

No migration steps needed when upgrading from OpenDNSSEC 1.4.8.


  • Add TCP waiting queue. Fix signer getting ‘stuck’ when adding many zones at once. Thanks to Håvard Eidnes to bringing this to our attention.
  • OPENDNSSEC-723: received SOA serial reported as on disk.
  • Fix potential locking issue on SOA serial.
  • Crash on shutdown. At all times join xfr and dns handler threads.
  • Make handling of notifies more consistent. Previous implementation would bounce between code paths.



Version of OpenDNSSEC has now been released.


  • Support for RFC5011 style KSK rollovers. KSK section in the KASP now accepts element.
  • Enforcer: New repository option allows to generate keys with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped and extracted from HSM.


  • SUPPORT-145: EOF handling an ARM architecture caused signer to hang.
  • Fixed signer hitting assertion on short reply XFR handler.
  • Include revoke bit in keytag calculation.
  • Increased stacksize on some systems (thanks Patrik Lundin!).
  • Stop ods-signerd on SIGINT.


  • By error 1.4.8 did not include database migration scripts for upgrading existing installations. resolves this issue.


SoftHSM 2.0.0

Version 2.0.0 of SoftHSM has been released. More updates and bug fixes can be found in the alpha and beta release notes.


  • SOFTHSM-121: Test cases for C_DecryptUpdate/C_DecryptFinal.
  • Support C_DecryptUpdate/C_DecryptFinal for symmetric algorithms. (Patch from Thomas Calderon

Bug fixes:

  • SOFTHSM-120: Segfault after renaming variables.



SoftHSM 2.0.0b3

Version 2.0.0b3 of SoftHSM has been released.


  • SOFTHSM-113: Support for Botan 1.11.15
  • SOFTHSM-119: softhsm2-util: Support ECDSA key import (Patch from Magnus Ahltorp)
  • SUPPORT-139: Support deriving generic secrets, DES, DES2, DES3, and AES. Using DH, ECDH or symmetric encryption.


  • SOFTHSM-108: A marked as trusted certificate cannot be imported.
  • SOFTHSM-109: Unused parameter and variable warnings.
  • SOFTHSM-110: subdir-objects warnings from autoreconf.
  • SOFTHSM-111: Include in dist.
  • SOFTHSM-112: CKM_AES_KEY_WRAP* conflict in pkcs11.h.
  • SOFTHSM-114: Fix memory leak in a test script.
  • SOFTHSM-115: Fix static analysis warnings.
  • SUPPORT-154: A marked as non-modifiable object cannot be generated.
  • SUPPORT-155: auto_ptr is deprecated in C++11, use unique_ptr.
  • SUPPORT-157: Derived secrets were truncated after encryption and could thus not be decrypted.
  • Mutex should call MutexFactory wrapper functions. (Patch from Jerry Lundström)
  • Return detailed error message to loadLibrary(). (Patch from Petr Spacek)



SoftHSM 2.0.0b2

Version 2.0.0b2 of SoftHSM has been released.


  • SOFTHSM-50: OpenSSL FIPS support.
  • SOFTHSM-64: Updated build script for Windows.
  • SOFTHSM-100: Use –free with softhsm2-util to initialize the first free token.
  • SOFTHSM-103: Allow runtime configuration of log level.
  • SOFTHSM-107: Support for CKM__CBC_PAD.
  • Add support for CKM_RSA_PKCS_OAEP key un/wrapping. (Patch from Petr Spacek)
  • Use OpenSSL EVP interface for AES key wrapping. (Patch from Petr Spacek)
  • Allow reading configuration file from user’s home directory. (Patch from Nikos Mavrogiannopoulos)


  • SOFTHSM-102: C_DeriveKey() uses OBJECT_OP_GENERATE.
  • Coverity found a number of issues.



OpenDNSSEC 1.4.7

Version 1.4.7 of OpenDNSSEC has now been released.


  • SUPPORT-147: Zone updating via zone transfer can get stuck (Håvard Eidnes)
  • Crash on ‘retransfer command when not using DNS adapters.


  • Checksum SHA256: 8f757ca9e88d6a6dc8f9b6e46a3da5e3a2881b3311fb91c428bcf906683ac41f

You are currently browsing the archives for the Releases category.