[Opendnssec-announce] End-of-Life Roadmap for OpenDNSSEC

Benno Overeinder benno at NLnetLabs.nl
Fri Oct 3 11:39:51 UTC 2025 

We would like to inform our users and the wider DNS community about the 
planned End-of-Life (EOL) timeline for OpenDNSSEC.  Operators are 
encouraged to start planning replacement.  We will offer Cascade, a new 
DNSSEC signer, as a drop-in successor.

OpenDNSSEC has served the community for many years as a trusted DNSSEC 
signer.  Since its first release in 2010, it pioneered automated DNSSEC 
key management and zone signing, and inspired other software projects to 
adopt similar functionality.  Over time, however, operational 
requirements and best practices have evolved.  The architectural choices 
made more than 15 years ago now make it increasingly difficult to 
maintain and extend OpenDNSSEC.  We have decided that our resources and 
development efforts are better focused on building the next generation 
of DNSSEC signing solutions.

To ensure we continue to provide a reliable, modern, and efficient 
DNSSEC signing solution, we are developing Cascade, our new DNSSEC signer.

Timeline
--------

* 3 October 2025 (today): Formal announcement of OpenDNSSEC End-of-Life.

* October 2025 – October 2027:
   - Ongoing support for OpenDNSSEC.
   - Critical bug fixes and security updates.
   - No new features will be developed.

* October 2027: OpenDNSSEC reaches its official End-of-Life.  No further 
updates or support will be provided.

Transition to Cascade
---------------------

We encourage users to begin evaluating Cascade, our upcoming DNSSEC 
signing solution:
* Alpha release available: October 2025
* Production-ready release: First half of 2026

Cascade is being developed as a modern, efficient, and maintainable 
DNSSEC signing solution [1].  It builds on our experience with 
OpenDNSSEC while offering a stronger foundation for the future.

Before writing a single line of code for Cascade, we interviewed 16 Top 
Level Domain operators and other members of the DNS community about 
their requirements and wishes.  You can read more about this in the 
linked article [2].

One of the key takeaways from these interviews is the desire to have a 
purpose-built, stand-alone DNSSEC signer, rather than a full 
authoritative server with signing capabilities.  The result is an 
architecture that offers flexible deployment, sensible defaults, tight 
control over the signing process and, most of all, observability — 
ensuring you will know what the pipeline is doing and why, and what you 
can expect to happen next.  Lastly, a key part of the project is 
offering comprehensive documentation [3] and an easy migration path from 
OpenDNSSEC to Cascade, with guidance and support services available from 
the first release onward.

We will present the Cascade prototype and give a live demo at the OARC 
45 meeting on Tuesday, 7 October [4].

We sincerely thank the community, contributors, and users who have 
supported and improved OpenDNSSEC over the years.  Your trust and 
feedback have been invaluable, and we hope the  alpha release of Cascade 
offers a starting point for continuing this collaboration.

Contact and Resources
---------------------

For questions, bug reports, or support:
* cascade at nlnetlabs.nl

[1] https://blog.nlnetlabs.nl/cascade/
[2] 
https://blog.nlnetlabs.nl/dnssec-operations-in-2026-what-keeps-16-tlds-up-at-night/
[3] https://cascade.docs.nlnetlabs.nl/
[4] https://indico.dns-oarc.net/event/55/contributions/1186/.

-- 
Benno J. Overeinder
NLnet Labs
https://www.nlnetlabs.nl/

More information about the Opendnssec-announce mailing list