running named built with --enable-native-pkcs11 without HSM provider library

Evan Hunt each at
Wed Aug 6 17:31:10 UTC 2014

On Wed, Aug 06, 2014 at 05:14:53PM +0100, Tony Finch wrote:
> > Right now it is not possible, and when named is built with
> > --enable-native-pkcs11 it can not run without HSM and some PKCS#11
> > provider library.
> Would using SoftHSM solve your problem?

SoftHSM version 1 doesn't supply enough of the PKCS#11 API to meet all
of BIND's crypto needs, but SoftHSMv2 works beautifully.  Last I checked,
version 2 hadn't been formally released yet, but it can be cloned from

The way things are currently set up, BIND can only drive one PKCS#11
provider library at a time.  You build with a default provider, and it
can be overridden via a command line option, but that's a little

I've been thinking about using a "shim" provider that would pass along
PKCS#11 primitives to a "back-end" according to context, so you could
switch seamlessly between providers -- that might be useful, for example,
if you wanted to use a proper HSM for your KSK, but SoftHSM for the ZSK
because it's faster.  It might also enable us to drive an HSM that didn't
have a complete PKCS#11 implementation, using SoftHSM to fill in the
functional gaps.  Haven't done any work on it, though.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list