End-of-Life Roadmap for OpenDNSSEC

Published: Fri 03 October 2025
Last updated: Fri 03 October 2025

We would like to inform our users and the wider DNS community about the planned End-of-Life (EOL) timeline for OpenDNSSEC. Operators are encouraged to start planning replacement. We will offer Cascade, a new DNSSEC signer, as a drop-in successor.

OpenDNSSEC has served the community for many years as a trusted DNSSEC signer. Since its first release in 2010, it pioneered automated DNSSEC key management and zone signing, and inspired other software projects to adopt similar functionality. Over time, however, operational requirements and best practices have evolved. The architectural choices made more than 15 years ago now make it increasingly difficult to maintain and extend OpenDNSSEC. We have decided that our resources and development efforts are better focused on building the next generation of DNSSEC signing solutions.

To ensure we continue to provide a reliable, modern, and efficient DNSSEC signing solution, we are developing Cascade, our new DNSSEC signer.

Timeline

  • 3 October 2025 (today): Formal announcement of OpenDNSSEC End-of-Life.
  • October 2025 – October 2027:
    • Ongoing support for OpenDNSSEC.
    • Critical bug fixes and security updates.
    • No new features will be developed.
  • October 2027: OpenDNSSEC reaches its official End-of-Life. No further updates or support will be provided.

Transition to Cascade

We encourage users to begin evaluating Cascade, our upcoming DNSSEC signing solution:

  • Alpha release available: October 2025
  • Production-ready release: First half of 2026

Cascade is being developed as a modern, efficient, and maintainable DNSSEC signing solution [1]. It builds on our experience with OpenDNSSEC while offering a stronger foundation for the future.

Before writing a single line of code for Cascade, we interviewed 16 Top Level Domain operators and other members of the DNS community about their requirements and wishes. You can read more about this in the linked article [2].

One of the key takeaways from these interviews is the desire to have a purpose-built, standalone DNSSEC signer, rather than a full authoritative server with signing capabilities. The result is an architecture that offers flexible deployment, sensible defaults, tight control over the signing process and, most of all, observability — ensuring you will know what the pipeline is doing and why, and what you can expect to happen next. Lastly, a key part of the project is offering comprehensive documentation [3] and an easy migration path from OpenDNSSEC to Cascade, with guidance and support services available from the first release onward.

We will present the Cascade prototype and give a live demo at the OARC 45 meeting on Tuesday, 7 October [4].

We sincerely thank the community, contributors, and users who have supported and improved OpenDNSSEC over the years. Your trust and feedback have been invaluable, and we hope the alpha release of Cascade offers a starting point for continuing this collaboration.

general news