* Default TTL in case of $TTL or explicit RR TTL becomes the SOA Minimum value (
was 3600).
* The signer engine will check if another engine is already running before start
ing.
* Startup scripts for Solaris (SMF).
* Auditor gives an error if key moves to "in use" without sufficient "prepublish
ed" time.
Bugfixes:
* Trailing spaces are not part of the domain name/ include file/ ttl in directiv
es.
* nsec3er: Print final RRset, even if no NSEC3 was needed at that RRset.
* Proper privileges dropping when creating the command socket
* Signer sometimes didn't terminate if socket shutdown failed.
Known issues:
* The Signer Engine fails with broken pipes sometimes.
that manages the security of domain names on the Internet.
The project intends to drive adoption of Domain Name System Security Extensions
(DNSSEC) to further enhance Internet security.
The Features of OpenDNSSEC
- No manual management is needed (after first configuration)
- Works with all different versions of the Unix operating system
- Multiple zones with shared or individual policies
- Each policy specifies a set of key and signature settings
- Handle zone sizes ranging from a few RRs to millions of RRs
- Unsigned zone file in and signed zone file out.
- Supports RSA/SHA1 signatures ? ready for future algorithms
(e.g.RSA/SHA2, GOST)
- Denial of existence using NSEC or NSEC3
- Automatic key generation in HSMs via the PKCS#11 interface
- Option support for sharing keys between zones
- Automatic key rollover
- Possibility of manual key rollover (emergency key rollover)
- Automatic zone signing using HSMs via the PKCS#11 interface
- Auditing of the signing process and result
- BSD license
