Archive for the ‘Uncategorized’ Category

OpenDNSSEC 2.1.9

Version 2.1.9 of OpenDNSSEC has been released on 2021-05-03.


This release contains two changes that avoid some problems with certain HSM configuration, one of them is SoftHSMv2 in database back-end mode.
This can lead to temporarily not being able to sign zones, hence upgrading is really recommended.
It does not occur on all systems and configurations though.


  • OPENDNSSEC-955: Prevent concurrency between certain valid PKCS#11 HSM operations to avoid some keys to be (transiently) unavailable.
  • OPENDNSSEC-956: Harden signing procedure to still sign zones for which there are unused keys specified in the zone which are unavailable.


OpenDNSSEC 2.1.8

Version 2.1.8 of OpenDNSSEC has been released on 2020-02-20.


This release of 2.1.8 fixes a number of bugs related to the purging of keys, a potential denial of service vulnerability in some installations, and a few rarer but nasty potential crashes. Earlier versions of OpenDNSSEC 2.1 might not have all keys purged from the HSM if instructed to do so. Since this is now done automatically this is worth pointing out that this was a bug and old keys will be permanently removed from the HSM.

Either when manually purging keys, or having
specified a in your key policy (kasp.xml), the keys are supposed
to be removed from the HSM. However, for some time, the keys were marked
for deletion, and became invisible, but the removal from the HSM was
skipped. In this release candidate this is fixed, but still allowing
keys not to be removed entirely. When you specify an automatic purge
then the keys will, after the specified period, will be completely
removed. When you purge manually, keys are not removed from the HSM
unless you specify an additional flag (the –delete or -d flag).

Special thanks to the people that help us in making OpenDNSSEC better
and better, mentioned in the NEWS file as always. Two of the bugs
were only traceable using this help.

The 2.1.8 release is available immediately from the download site.


  • OPENDNSSEC-954: Upgrade autoconf/automake configuration chain for version 2.69/1.16.2.
  • SUPPORT-261: Fix to crash when using ods-enforcer set-policy command.
  • OPENDNSSEC-953: Fix to crash in case zone file not present while getting a signconf update and state flush command.

    Thanks to Stefan Ubbink from SIDN for the co-operation in this fix.
  • OPENDNSSEC-951: Modify the purging of keys, to make it automatic to purge keys from the HSM.

    Thanks to Stefan Ubbink from SIDN for the co-operation in this fix.
  • OPENDNSSEC-950: Fix that caused crash when signer was offline for a prolonged period (but the enforcer wasn’t) in the middle of a ZSK roll.
  • OPENDNSSEC-952: memory leak in when receiving NOTIFY for non-existent zone (Thanks Sébastien Tisserant to for reporting).


OpenDNSSEC 2.1.7

Version 2.1.7 of OpenDNSSEC has been released on 2020-10-05.


This release of 2.1.7 fixes a bug in the migration script to migrate from 1.4 to 2.1. Additionally a bug in creating unnecessary signatures during a ZSK roll was fixed. We also had some contributions regarding edward curves and exporting keys by CKA identifier and other corrections and improvements, see the full list below.

The 2.1.7 release is available immediately from the download site.


  • OPENDNSSEC-949: Fix for migration bug not keeping proper parameters of NSEC3 signed zones. Amongst others the zone become NSEC. Loading the policies
    fixes the situation, migration scripts now corrected. Since 1.4 does not require a salt, a resalt might be automatic after migrating, as this is
    a required parameter.
  • OPENDNSSEC-948: do not recreate signatures for keys that are moving out this fixes unexpected double signatures in the zone.
  • SUPPORT-253: Incorrect keytag used when using Combined Signing keys (CSK) (Thanks to Simon Arlott)
  • SUPPORT-257: Export keys by locator (Thansk to Simon Arlott)
  • SUPPORT-222: Support ED25519/ED448 keys. This requires library ldns 1.7.0 or better, otherwise unavailable. (Thanks again to Simon Arlott)
  • Load and fall back on to allow to run migration tool on systems without soft link. (Thanks to Paul Wouters)
  • Some compilation warnings, o.a. gcc10 related, code quality and initialization improvements. (Thanks to Jonas Berlin, and Mathieu MirMont, and Paul Wouters)


SoftHSM 2.6.1

SoftHSM version 2.6.1 was released on 2020-04-29.


  • Issue #542: Support Ed448/X448 for OpenSSL.
  • Issue #538: Improved warning and compilation issues for GCC10
  • Issue #527: Fixed compilation issues for MacOS 10.15.4/Xcode 11.4
  • Download:

SoftHSM 2.6.0

SoftHSM version 2.6.0 was released on March 17. This is mostly a continued development of SoftHSMv2, and thus should replace the 2.5 branch to receive any patches.

Even though this is continuation of the development, we should point out that we have upgraded the optional dependency to Botan to version 2. Other fixes and improvements should not influence existing functionality. For a more complete list of improvements see below and the NEWS file inside the package.

No migration, configuration changes or path changes are necessary and the build configuration should not need changing.


  • Issue #493: Upgrade to Botan 2.
  • Issue #530: Update appveyor build.
  • Issue #438: Detect crypto algorithms by default. (Patch from Alon Bar-Lev)
  • Issue #455: Provide a new configuration option to allow enabling and disabling various mechanisms (slots.mechanisms in the softhsm2.conf). (Thanks to Jakub Jelen)
  • Issue #479: Increase SQLite busy timeout from 15 seconds to 3 minutes. (Patch from Jan Luebbe)
  • Issue #513: Add configuration option to reset state on fork closing all sessions rather than keeping all sessions open in duplicate process. (Thanks to Anderson Toshiyuki Sasaki)
  • Issue #500: C_WaitForSlotEvent implementation. (Patch from massey101)
  • Issue #445: Add wrap support with CKM_AES_CBC.


  • Issue #418: Set fields to NULL to avoid double free. (Patch from Brian J Murray)
  • Issue #423: ENGINE_load_rdrand is not supported with older openssl. (Patch from Alon Bar-Lev)
  • Issue #429: Updated prerequisite to build from repository. (Patch from Dharmesh Khandelwal)
  • Issue #434: Fix build issues with CMake. (Patch from Peter Wu)
  • Issue #435: Fix botan build without EDDSA. (Patch from Peter Wu)
  • Issue #442: Release resources from OSSLEVPSymmetricAlgorithm. (Patch from Petr Menšík)
  • Issue #449/#502: Do not copy zero sized buffer avoid null pointer reference. (Patch from space88man)
  • Issue #464: Race condition with multiple threads closing last session and opening a newer sessions. (Patch from Takarth)
  • Issue #452: Fixes to automake build fir undefined macros.
  • Issue #462: User PIN count wrongly calculated. (Patch from Ondřej Hlavatý)
  • Issue #516: Fix memory leak in OSSLCryptoFactory. (Patch from Anderson Sasaki)
  • Issue #494: Allow null pointers as arguments when count is zero. (Patch from Yunjong Jeong)
  • Issue #518: Sporadic problem in closing sessions because of lookup of object without prior locking.
  • Issue #506: Check key type for C_EncryptInit and C_DecryptInit. (Patch from Yunjong Jeong)
  • Issue #526: Adjust EDDSA code to return valid EC_PARAMS. (Patch from Jakub Jelen)
  • Issue #452: Autogen failure on undefined macro AC_MSG_ERROR.
  • Issue #527: Fixed some build errors for GCC 10.
  • Issue #470: Null pointer arguments validation for C_EncryptFinal, etc.


OpenDNSSEC 2.1.6

Version 2.1.6 of OpenDNSSEC has been released on 2020-02-10.


This release of 2.1.6 fixes some issues regarding the key list wrongfully displayed (a regression bug in 2.1.5) as well as a small leak in the enforcer (which can add up when you bang the enforcer with a lot of commands). And as well as a serious signing error when using Combined Signing Keys (CSKs), this is only relevant if you combine KSK and ZSK in one. Especially users of CSKs need this fix now. Another nice fix is a reconnect to a MySQL/MariaDB database you you don’t have to tweak database parameters

The 2.1.6 release is available immediately from the download site.


  • OPENDNSSEC-913: verify database connection upon every use.
  • OPENDNSSEC-944: bad display of date of next transition (regression)
  • SUPPORT-250: missing signatures on using combined keys (CSK)
  • OPENDNSSEC-945: memory leak per command to enforcer.
  • OPENDNSSEC-946: unclean enforcer exit in case of certain config problems.
  • OPENDNSSEC-411: set-policy command to change policy of zone (experimental). Requires explicit enforce command to take effect.


OpenDNSSEC 2.1.5

Version 2.1.5 of OpenDNSSEC has been released on 2019-11-05.


The previous release fixed an important issue, but unfortunately left in a memory leak, which this release fixes. This release of 2.1.5 fixes the memory issue, along with some additional issues primarily relating to minor migration reporting and configuration.

The 2.1.5 release is available immediately from the download site. Installations still on the 1.4 release should really upgrade to this version as it has been tested enough by major players.


  • SUPPORT-245: Resolve memory leak in signer introduced in 2.1.4.
  • SUPPORT-244: Don’t require Host and Port to be specified in conf.xml
    when migrating with a MySQL-based enforcer database backend.
  • Allow for MySQL database to pre-exist when performing a migration,
    and be a bit more verbose during migration.
  • Fix AllowExtraction tag in configuration file definition.
  • SUPPORT-242: Skip over EDNS cookie option.
  • SUPPORT-240: Prevent exit of enforcer daemon upon interrupted interaction with CLI commands (when having > 1000 zones and aborting a pipe).
  • Correct some error messages.


OpenDNSSEC 1.4.14

Version 1.4.14 of OpenDNSSEC has been released on 2017-04-28.


Hereby we announce the OpenDNSSEC 1.4.14 release.

Bugs Fixed

  • OPENDNSSEC-888: Fix up MySQL<->SQLite3 database conversion script.
  • OPENDNSSEC-752: Incorrect calculated number of KSKs needed when KSK and ZSK have exactly the same parameters. This would prevent KSK rollovers.
  • OPENDNSSEC-890: Bogus signatures on mismatching TTLs within the same RRset.


OpenDNSSEC 2.1.1

Version 2.1.1 of OpenDNSSEC has been released on 2017-04-28.


OpenDNSSEC 2.1.1 addresses a number of bug fixes. No migration steps are required when upgrading from an earlier 2.X release. In case you are still on the 1.4.X branch and like to upgrade to 2.1.1 you are advised to do so directly rather than installing earlier 2.X versions first.

Bugs Fixed

  • OPENDNSSEC-889: MySQL migration script didn’t work for all database and MySQL versions.
  • OPENDNSSEC-887: Segfault on extraneous tag.
  • OPENDNSSEC-880: Command line parsing for import key command failed.
  • OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs for same rrset are mismatching.


OpenDNSSEC 1.4.13

Version 1.4.13 of OpenDNSSEC has been released on 2017-01-20.


Hereby we announce the OpenDNSSEC 1.4.13 release. It includes a small number of bug fixes and no migration steps are needed. Some minor code adjustments where made to make linking to OpenSSL 1.1.0 possible.

This release is signed by our new (Jan 11th) PGP key.


  • OPENDNSSEC-778: Double NSEC3PARAM record after resalt.
  • OPENDNSSEC-853: Fixed serial_xfr_acquired not updated in state file.
  • Wrong error was sometimes being print on failing TCP connect.
  • Add support for OpenSSL 1.1.0.
  • OPENDNSSEC-866: Script for migration between MySQL and SQLite was outdated.


You are currently browsing the archives for the Uncategorized category.