Version 2.5.3


  • CSK rollover support for Single-Type Signing Scheme


  • Allowed binding to non-local adresses for TCP (Thanks to Julian Brost!)
  • New documentation section for manual DNSSEC key algorithm rollover
  • Initial KSK also generated in the submission state
  • The 'ds' keymgr command with no parameter uses all KSK keys
  • New debug mode in kjournalprint
  • Updated keymgr documentation


  • Sometimes missing RRSIG by KSK in submission state
  • Minor DNSSEC-related issues