Skip to end of metadata
Go to start of metadata

Major enhancements

DNS Adapters

OpenDNSSEC now supports both input and output adapters for AXFR and IXFR in addition to file transfer. 

Migration required:

PIN Storage

The HSM PIN can now be omitted from the conf.xml file and entered via the 'ods-hsmutil login' command instead for increased security.

Auditor is deprecated

The auditor is no longer supported in 1.4. This greatly reduced the dependencies of OpenDNSSEC, namely it no longer depends on Ruby. Alternative validation tools are described here.

Minor enhancements

(Some enhancements are also available in later 1.3 releases - see the 1.3 release NEWS file)

ods-ksmutil: one step 'key backup' is deprecated

The command

ods-ksmutil backup done

is deprecated - for more details see ods-ksmutil backup

ods-ksmutil/enforcer enhancements

  • ods-ksmutil key list: key size, algorithm and next key state are included in output when -v flag is used
  • ods-ksmutil rollover list: more information displayed on the KSKs waiting for the ds-seen command when the -v flag is used
  • ods-ksmutil key generate: now displays how many keys will be generated and presents the user with the opportunity to stop the operation.
  • Optionally include CKA_ID in output of the DelegationSignerSubmitCommand

Signer enhancements

  • Allow for Classless IN-ADDR.ARPA names (RFC 2317).


Versioning and Support Policy

The versioning scheme used for releases and the release maintenance policy have both been updated as of 1.4. Please see the Release Management Process for details. 

Bug fixes

A full list of bug fixes and issue numbers can be found in the 1.4 release NEWS file.

A summary of the updates in 1.4.0 that are not in 1.3.13 can be found here.


The 'Multi-threaded enforcer' feature (which was available in earlier beta versions of 1.4) was removed from the 1.4 release due to issues with the implementation. Note that the 2.0 release will deliver significant performance improvements for running with many zones.


  • No labels