OpenDNSSEC is a policy-based zone signer that automates keeping track of DNSSEC keys and signing of zones.

After a one-time set up process OpenDNSSEC takes in unsigned zones, adds the signatures and other records for DNSSEC and passes it on to the authoritative name server for that zone, such as NSD. It is able to automate signing zones containing anything from a few records up to millions of records. A single instance can be configured to sign one or many zones.

OpenDNSSEC is distributed free of charge in open source form under the BSD license. For most distributions, packages are available. It is a single piece of software for signing DNS zones that can be seamlessly integrated into an existing system, without needing to overhaul the entire infrastructure. It can be configured to sign zone files or to sign zones transferred in via AXFR. Once it has been set up, no manual intervention is needed though of course, you have the possibility to do a manual (emergency) key rollover.

All keys are stored in a Security Module and accessed via PKCS#11, a standard API for communicating with devices which hold cryptographic information and perform cryptographic functions. To deploy OpenDNSSEC, an implementation of this API is required, e.g. a software implementation like SoftHSM or a hardware device like an HSM or a smartcard/token.

If you run OpenDNSSEC in a mission critical environment and you would like support backed by a Service Level Agreement directly from the developers at NLnet Labs, please visit our Support Contracts page for more information.

OpenDNSSEC has a dedicated website at, where you can find documentation and download the latest release.