OpenDNSSEC 1.3.9 發布，安全 DNS 解決方案

OpenDNSSEC 是一個實現了 DNSSEC 的開源解決方案，用來在發布到認證的域名服務器之前保護 zone 數據。

Domain Name System Security Extensions (DNSSEC)DNS安全擴展，是由IETF提供的一系列DNS安全認證的機制（可參考RFC2535）。它提供了一種來源鑒定和數據完整性的擴展，但不去保障可用性、加密性和證實域名不存在。

Overview

• Single piece of software for signing DNS zones that can be seamlessly integrated into an existing system without needing to overhaul the entire existing infrastructure.
• Can be configured to sign zone files or to sign zones transferred in via AXFR.
• Fully automatic – once set up, no manual intervention is needed.
• Possibility of manual key rollover (emergency key rollover).
• Open source software supplied with a BSD license so suppliers of commercial products can use the open source code in them whilst retaining the IPR of their own software.

Scalable

• Able to sign zones containing anything from a few records up to millions of records.
• Single instance of OpenDNSSEC can be configured to sign one or many zones.
• Keys can be shared between zones inorder to save space in the HSM.

Flexible

• Able to define zone signing policy (length of key, key lifetime, signature interval etc.); can set the system up for anything between one policy to cover all zones to one policy per zone.
• Works with all different versions of the Unix operating system

Secure

• OpenDNSSEC stores sensitive cryptographic data in an HSM, communicating with it using the industry-standard PKCS#11 interface.
• SoftHSM – a software emulation of an HSM – is available if use of an HSM is not necessary, or to set up a DNSSEC testbed before purchasing a real HSM.
• Facility to check whether HSMs are compatible with OpenDNSSEC.
• Includes an auditing function that compares the incoming unsigned zone with the outgoing signed zone, so you can check that no zone data has been lost and that the zone signatures are correct.
• Supports RSA/SHA1 and SHA2 signatures
• Denial of existence using NSEC or NSEC3

OpenDNSSEC 1.3.9 發布，該版本改善了 Enforcer 的數據庫訪問性能，簡化 ods-ksmutil 刪除 zone 的操作等。