Before you start to use OpenDNSSEC in your production environment you must first decide which hardware you going to run on.

When you have a good system to run on, then it is time to install the software that OpenDNSSEC depends on, and finally installing OpenDNSSEC.

On this Page

Hardware set-up

Here are some short recommendations if you are planning to use OpenDNSSEC with many zones or a single large zone, and where the speed of signing is important.

Platform support

OpenDNSSEC has been tested on the following platforms:


OpenDNSSEC depends on a number of open-source packages, all of which must be installed on your system for OpenDNSSEC to build successfully.

The installation of depencencies guide shows which packages are required and how to download/install them.

You also need a Hardware Security Module.

Choose from any vendor that uses the PKCS#11 interface. Or the software-only implementation of an HSM called SoftHSM created by the OpenDNSSEC project. Follow these instructions on how to install SoftHSM.

Pre-built Binaries

You can find information about packages for your operating system here:

Obtaining the Source Code

The latest version of OpenDNSSEC can be found as a tarball on

The development (unstable) version of OpenDNSSEC is available from the GitHub repository and can be obtained using the following command:

git clone

Building & Installing

  1. If you downloaded the tarball then first untar it:

    tar -xzf opendnssec-<VERSION>.tar.gz
    cd OpenDNSSEC

    or if you are working from the repository:

    cd OpenDNSSEC
  2. Then it is time to configure the build scripts:


    You may also need some other options to configure.

      --disable-auditor       Disable auditor build (default enabled)
      --enable-eppclient      Enable eppclient build (default disabled) (experimental)
      --enable-timeshift      For debugging purposes
      --with-database-backend Select database backend (sqlite3|mysql) (default sqlite)

    Use the following command to find out which other options that are available:

     ./configure --help

    The configure script defaults to --prefix=/usr/local, --sysconfdir=/etc, and --localstatedir=/var

  3. Once configured, build OpenDNSSEC using:


    ... and install using ...

     sudo make install

    If the build fails it might be because of a missing software dependency. Please read the error messages carefully.


Depending on operating system, there may be a few additional steps required after installation.

Linux Users Linux users need to rebuild the dynamic linker caches. To do this, issue the command:

sudo ldconfig [library-path [library-path ...]]

If OpenDNSSEC or any of the pre-requisites were installed in non-standard directories, the list of library paths should be specified as arguments on the command line.