Published on September 10th, 2012 | by NJ Ouchn


OpenDNSSEC 1.4.0b1 released

OpenDNSSEC was created as an open-source turn-key solution for DNSSEC. It secures zone data just before it is published in an authoritative name server.


Many internet protocol hinge on DNS, but the data in DNS caches has become so vulnerable to attack that it cannot be relied upon anymore. The added authenticity in DNSSEC makes sure that such attacks have no effect.

That is, if

  • Zones are verified. Easy-to-deploy software for DNSSEC-aware name resolving (and caching) exists, for example Unbound or properly configured Bind9.
  • Zones are secured. Easy-to-deploy solutions for DNSSEC did not yet exist, at least not in open source. Hence the OpenDNSSEC project.

More on the problems with DNS and about deploying DNSSEC can be found in this white paper.

The Features of OpenDNSSEC


  • Single piece of software for signing DNS zones that can be seamlessly integrated into an existing system without needing to overhaul the entire existing infrastructure.
  • Can be configured to sign zone files or to sign zones transferred in via AXFR.
  • Fully automatic – once set up, no manual intervention is needed.
  • Possibility of manual key rollover (emergency key rollover).
  • Open source software supplied with a BSD license so suppliers of commercial products can use the open source code in them whilst retaining the IPR of their own software.


  • Able to sign zones containing anything from a few records up to millions of records.
  • Single instance of OpenDNSSEC can be configured to sign one or many zones.
  • Keys can be shared between zones inorder to save space in the HSM.


  • Able to define zone signing policy (length of key, key lifetime, signature interval etc.); can set the system up for anything between one policy to cover all zones to one policy per zone.
  • Works with all different versions of the Unix operating system


  • OpenDNSSEC stores sensitive cryptographic data in an HSM, communicating with it using the industry-standard PKCS#11 interface.
  • SoftHSM – a software emulation of an HSM – is available if use of an HSM is not necessary, or to set up a DNSSEC testbed before purchasing a real HSM.
  • Facility to check whether HSMs are compatible with OpenDNSSEC.
  • Includes an auditing function that compares the incoming unsigned zone with the outgoing signed zone, so you can check that no zone data has been lost and that the zone signatures are correct.
  • Supports RSA/SHA1 and SHA2 signatures
  • Denial of existence using NSEC or NSEC3


  • OPENDNSSEC-130: libhsm: The PIN is now optional in conf.xml. The PIN can be entered using “ods-hsmutil login” and is stored in shared memory. The daemons will not start until this has been donr by the user.
  • OPENDNSSEC-297: Enforcer: Multi-threaded option available for the enforcer to improve performance (MySQL only).
  • OPENDNSSEC-320: Signer Engine: The <ProvideTransfer>, <Notify>, <AllowNotify> and <RequestTransfer> elements are now optional, but if provided they require one or more <Peer> or <Remote> elements.


  • OPENDNSSEC-255: Signer Engine: OpenDNSSEC 1.4.0a1 writes out mangled RRSIG record.
  • OPENDNSSEC-261: Signer Engine: Ldns fails to parse RR that seems syntactically correct.
  • OPENDNSSEC-269: Signer Engine: Crash when multiple threads access ixfr struct.
  • OPENDNSSEC-281: Commandhandler sometimes unresponsive.
  • OPENDNSSEC-318: Signer Engine: Don’t stop dns and xfr handlers if these threads have not yet been started.
  • OPENDNSSEC-319: Signer Engine: Fix TSIG segfault on signer shutdown.
  • OPENDNSSEC-325: Signer Engine: Don’t include RRSIG records when DO bit is not set.
  • OPENDNSSEC-326: Signer Engine: Stop serving a zone that could not be transferred from master and has been expired.



Tags: ,

About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"

Back to Top ↑