The OpenDNSSEC project

OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones. The goal of the project is to make DNSSEC easy to deploy. The project is Open Source and intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

OpenDNSSEC 2.1.9

Version 2.1.9 of OpenDNSSEC has been released on 2021-05-03.

News

This release contains two changes that avoid some problems with certain HSM configuration, one of them is SoftHSMv2 in database back-end mode.
This can lead to temporarily not being able to sign zones, hence upgrading is really recommended.
It does not occur on all systems and configurations though.

Issues

  • OPENDNSSEC-955: Prevent concurrency between certain valid PKCS#11 HSM operations to avoid some keys to be (transiently) unavailable.
  • OPENDNSSEC-956: Harden signing procedure to still sign zones for which there are unused keys specified in the zone which are unavailable.

Download

OpenDNSSEC 2.1.8

Version 2.1.8 of OpenDNSSEC has been released on 2020-02-20.

News

This release of 2.1.8 fixes a number of bugs related to the purging of keys, a potential denial of service vulnerability in some installations, and a few rarer but nasty potential crashes. Earlier versions of OpenDNSSEC 2.1 might not have all keys purged from the HSM if instructed to do so. Since this is now done automatically this is worth pointing out that this was a bug and old keys will be permanently removed from the HSM.

Either when manually purging keys, or having
specified a in your key policy (kasp.xml), the keys are supposed
to be removed from the HSM. However, for some time, the keys were marked
for deletion, and became invisible, but the removal from the HSM was
skipped. In this release candidate this is fixed, but still allowing
keys not to be removed entirely. When you specify an automatic purge
then the keys will, after the specified period, will be completely
removed. When you purge manually, keys are not removed from the HSM
unless you specify an additional flag (the –delete or -d flag).

Special thanks to the people that help us in making OpenDNSSEC better
and better, mentioned in the NEWS file as always. Two of the bugs
were only traceable using this help.

The 2.1.8 release is available immediately from the download site.

Issues

  • OPENDNSSEC-954: Upgrade autoconf/automake configuration chain for version 2.69/1.16.2.
  • SUPPORT-261: Fix to crash when using ods-enforcer set-policy command.
  • OPENDNSSEC-953: Fix to crash in case zone file not present while getting a signconf update and state flush command.

    Thanks to Stefan Ubbink from SIDN for the co-operation in this fix.
  • OPENDNSSEC-951: Modify the purging of keys, to make it automatic to purge keys from the HSM.

    Thanks to Stefan Ubbink from SIDN for the co-operation in this fix.
  • OPENDNSSEC-950: Fix that caused crash when signer was offline for a prolonged period (but the enforcer wasn’t) in the middle of a ZSK roll.
  • OPENDNSSEC-952: memory leak in when receiving NOTIFY for non-existent zone (Thanks S├ębastien Tisserant to for reporting).

Download

OpenDNSSEC 2.1.7

Version 2.1.7 of OpenDNSSEC has been released on 2020-10-05.

News

This release of 2.1.7 fixes a bug in the migration script to migrate from 1.4 to 2.1. Additionally a bug in creating unnecessary signatures during a ZSK roll was fixed. We also had some contributions regarding edward curves and exporting keys by CKA identifier and other corrections and improvements, see the full list below.

The 2.1.7 release is available immediately from the download site.

Issues

  • OPENDNSSEC-949: Fix for migration bug not keeping proper parameters of NSEC3 signed zones. Amongst others the zone become NSEC. Loading the policies
    fixes the situation, migration scripts now corrected. Since 1.4 does not require a salt, a resalt might be automatic after migrating, as this is
    a required parameter.
  • OPENDNSSEC-948: do not recreate signatures for keys that are moving out this fixes unexpected double signatures in the zone.
  • SUPPORT-253: Incorrect keytag used when using Combined Signing keys (CSK) (Thanks to Simon Arlott)
  • SUPPORT-257: Export keys by locator (Thansk to Simon Arlott)
  • SUPPORT-222: Support ED25519/ED448 keys. This requires library ldns 1.7.0 or better, otherwise unavailable. (Thanks again to Simon Arlott)
  • Load libsqlite3.so.0 and fall back on libsqlite3.so.0 to allow to run migration tool on systems without libsqlite3.so.0 soft link. (Thanks to Paul Wouters)
  • Some compilation warnings, o.a. gcc10 related, code quality and initialization improvements. (Thanks to Jonas Berlin, and Mathieu MirMont, and Paul Wouters)

Download