[Opendnssec-announce] End-of-Life Roadmap for OpenDNSSEC
Benno Overeinder
benno at NLnetLabs.nl
Fri Oct 3 11:39:51 UTC 2025
We would like to inform our users and the wider DNS community about the
planned End-of-Life (EOL) timeline for OpenDNSSEC. Operators are
encouraged to start planning replacement. We will offer Cascade, a new
DNSSEC signer, as a drop-in successor.
OpenDNSSEC has served the community for many years as a trusted DNSSEC
signer. Since its first release in 2010, it pioneered automated DNSSEC
key management and zone signing, and inspired other software projects to
adopt similar functionality. Over time, however, operational
requirements and best practices have evolved. The architectural choices
made more than 15 years ago now make it increasingly difficult to
maintain and extend OpenDNSSEC. We have decided that our resources and
development efforts are better focused on building the next generation
of DNSSEC signing solutions.
To ensure we continue to provide a reliable, modern, and efficient
DNSSEC signing solution, we are developing Cascade, our new DNSSEC signer.
Timeline
--------
* 3 October 2025 (today): Formal announcement of OpenDNSSEC End-of-Life.
* October 2025 – October 2027:
- Ongoing support for OpenDNSSEC.
- Critical bug fixes and security updates.
- No new features will be developed.
* October 2027: OpenDNSSEC reaches its official End-of-Life. No further
updates or support will be provided.
Transition to Cascade
---------------------
We encourage users to begin evaluating Cascade, our upcoming DNSSEC
signing solution:
* Alpha release available: October 2025
* Production-ready release: First half of 2026
Cascade is being developed as a modern, efficient, and maintainable
DNSSEC signing solution [1]. It builds on our experience with
OpenDNSSEC while offering a stronger foundation for the future.
Before writing a single line of code for Cascade, we interviewed 16 Top
Level Domain operators and other members of the DNS community about
their requirements and wishes. You can read more about this in the
linked article [2].
One of the key takeaways from these interviews is the desire to have a
purpose-built, stand-alone DNSSEC signer, rather than a full
authoritative server with signing capabilities. The result is an
architecture that offers flexible deployment, sensible defaults, tight
control over the signing process and, most of all, observability —
ensuring you will know what the pipeline is doing and why, and what you
can expect to happen next. Lastly, a key part of the project is
offering comprehensive documentation [3] and an easy migration path from
OpenDNSSEC to Cascade, with guidance and support services available from
the first release onward.
We will present the Cascade prototype and give a live demo at the OARC
45 meeting on Tuesday, 7 October [4].
We sincerely thank the community, contributors, and users who have
supported and improved OpenDNSSEC over the years. Your trust and
feedback have been invaluable, and we hope the alpha release of Cascade
offers a starting point for continuing this collaboration.
Contact and Resources
---------------------
For questions, bug reports, or support:
* cascade at nlnetlabs.nl
[1] https://blog.nlnetlabs.nl/cascade/
[2]
https://blog.nlnetlabs.nl/dnssec-operations-in-2026-what-keeps-16-tlds-up-at-night/
[3] https://cascade.docs.nlnetlabs.nl/
[4] https://indico.dns-oarc.net/event/55/contributions/1186/.
--
Benno J. Overeinder
NLnet Labs
https://www.nlnetlabs.nl/
More information about the Opendnssec-announce
mailing list