BIND 9.10.0b1 is now available

Doug Barton dougb at
Mon Mar 17 21:43:36 UTC 2014

On 03/17/2014 01:06 PM, Evan Hunt wrote:
> On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
>> Yes, it was my understanding of how HSM worked. That's why I was trying to
>> build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
>> side, and PKCS11 interface for zone signing on the other.
> I'd advise doing that with two separate BIND instances -- sign using
> pkcs11 (possibly on a hidden master) and keep that separate from your
> recursion/validation.

Evan, I think that Mathieu understands that from a "proper DNS 
functionality" perspective. What he's struggling with is that the way 
FreeBSD ports are set up they don't really have a "flag" for "This 
configuration of options will give you an authoritative-only server that 
you cannot use for general purpose recursion/validation" within a 
specific set of options for the general purpose port.

Mathieu, if I may, what I would do in this situation is create a slave 
port for the HSM compile options, and put some sort of warning 
(pre-compile, pkg-message, or both) that clearly indicates to the user 
that this configuration is limited to auth-only. That's the least 
painful way I can think of to deal with it off hand. You may come up 
with a more creative solution.



More information about the bind-users mailing list