BIND 9.10.0b1 is now available

Evan Hunt each at
Mon Mar 17 20:06:33 UTC 2014

On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
> Yes, it was my understanding of how HSM worked. That's why I was trying to
> build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
> side, and PKCS11 interface for zone signing on the other.

I'd advise doing that with two separate BIND instances -- sign using
pkcs11 (possibly on a hidden master) and keep that separate from your

I'm interested to read this, though, because it's a use case I hadn't
considered. We'll have to give it some thought.  But right now there
are three options:

 - build with regular openssl, no pkcs11
 - build with patched openssl, pkcs11 available via openssl shim
   (configure --with-openssl=/path/to/openssl/prefix
 - build with native pkcs11, no openssl
   (configure --enable-native-pkcs11 --with-pkcs11=/path/to/

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list