BIND 9.10.0b1 is now available
Evan Hunt
each at isc.org
Mon Mar 17 20:06:33 UTC 2014
On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
> Yes, it was my understanding of how HSM worked. That's why I was trying to
> build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
> side, and PKCS11 interface for zone signing on the other.
I'd advise doing that with two separate BIND instances -- sign using
pkcs11 (possibly on a hidden master) and keep that separate from your
recursion/validation.
I'm interested to read this, though, because it's a use case I hadn't
considered. We'll have to give it some thought. But right now there
are three options:
- build with regular openssl, no pkcs11
- build with patched openssl, pkcs11 available via openssl shim
(configure --with-openssl=/path/to/openssl/prefix
--with-pks11=/path/to/provider.so
- build with native pkcs11, no openssl
(configure --enable-native-pkcs11 --with-pkcs11=/path/to/provider.so)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list