Internet engineers continue to enhance Internet security with the release of OpenDNSSEC, a tool which simplifies the process of signing one or more zones with DNSSEC. OpenDNSSEC handles the entire process, including secure key management and rollover issues. With OpenDNSSEC, fewer manual operations are needed by the operator.
OpenDNSSEC ensures that all the steps in signing process are done in the correct order and at the right time, making sure that nothing breaks. The issue of storing the private keys associated with DNSSEC signing has been handled using so-called HSMs (Hardware Security Modules), so that the private keys can not be leaked to an unauthorized third party.
OpenDNSSEC works in all Unix-like operating systems and is suitable both for those who will only sign a single large zone (such as top-level domains) and those who have many small zones (e.g. web hotels, ISPs).
Developed by industry leaders including .SE (The Internet Infrastructure Foundation), NLNetLabs, Nominet, Kirei, SURFnet, SIDN and John Dickinson, OpenDNSSEC will seamlessly integrate domain name security extensions (DNSSEC) into already existing IT systems without the need for organizations to change their infrastructure.
Version 1.2.2 of OpenDNSSEC comes with the following bugfixes:
- signconf.rnc now allows NSEC3 Iterations of 0
- Auditor: Fix delegation checks.
- Bugfix #242: Race condition when receiving multiple NOTIFIES for a zone.
- Enforcer: Change message about KSK retirement to make it less confusing.
- ods-ksmutil: manual keyroll on zones which have moved policies fixed.
- Signer Engine: Handle stdout console output throttling that would truncate daemon output intermittently.
- Signer Engine: When removing records, also remove NSEC3 records that belong to the empty-non terminal.
- Signer Engine: Ifdef the zone fetcher header file.
- Zonefetcher: Sometimes invalid “Address already in use’ occurred.
- Zonefetcher: Check inbound serial in transferred file, to prevent redundant zone transfers.