Internet engineers continue to enhance Internet security with the release of OpenDNSSEC, a tool which simplifies the process of signing one or more zones with DNSSEC. OpenDNSSEC handles the entire process, including secure key management and rollover issues. With OpenDNSSEC, fewer manual operations are needed by the operator.
OpenDNSSEC ensures that all the steps in signing process are done in the correct order and at the right time, making sure that nothing breaks. The issue of storing the private keys associated with DNSSEC signing has been handled using so-called HSMs (Hardware Security Modules), so that the private keys can not be leaked to an unauthorized third party.
OpenDNSSEC works in all Unix-like operating systems and is suitable both for those who will only sign a single large zone (such as top-level domains) and those who have many small zones (e.g. web hotels, ISPs).
Bugfixes in OpenDNSSEC 1.3.1:
- Fix “ZSK in use too long’ message to handle new signer behaviour.
- RHEL6 patch to contrib/opendnssec.spec. (Rick van Rein)
- Make sure argument in “ods-control signer” is not stripped off.
- ods-ksmutil: Prevent MySQL username or password being interpreted by the shell when running “ods-ksmutil setup”.
- “ods-ksmutil zone list” now handles empty zonelists.
- Enforcer: Unsigned comparison resulting in wrong error message.
- ods-ksmutil: fixed issue where first ds-seen command run on a zone would work, but return an error code and not send a HUP to the enforcerd.
- Signer Engine: A threading issue occasionally puts the default validity on NSEC(3) RRs and the denial validity on other RRs.
- Signer Engine: An update command could interrupt the signing process and the zone would get missing signatures.
- Signer Engine: Fix an issue where some systems could not copy the zone file.
- Zonefetcher: Check inbound serial in transferred file, to prevent redundant zone transfers.