BIND 9.10.0b1 is now available

Mathieu Arnold mat at
Tue Mar 18 00:43:01 UTC 2014

+--On 17 mars 2014 14:43:36 -0700 Doug Barton <dougb at> wrote:
| On 03/17/2014 01:06 PM, Evan Hunt wrote:
|> On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
|>> Yes, it was my understanding of how HSM worked. That's why I was trying
|>> to build with OpenSSL *and* native PKCS11, to get the DNSSEC validation
|>> on one side, and PKCS11 interface for zone signing on the other.
|> I'd advise doing that with two separate BIND instances -- sign using
|> pkcs11 (possibly on a hidden master) and keep that separate from your
|> recursion/validation.
| Evan, I think that Mathieu understands that from a "proper DNS
| functionality" perspective. What he's struggling with is that the way
| FreeBSD ports are set up they don't really have a "flag" for "This
| configuration of options will give you an authoritative-only server that
| you cannot use for general purpose recursion/validation" within a
| specific set of options for the general purpose port.
| Mathieu, if I may, what I would do in this situation is create a slave
| port for the HSM compile options, and put some sort of warning
| (pre-compile, pkg-message, or both) that clearly indicates to the user
| that this configuration is limited to auth-only. That's the least painful
| way I can think of to deal with it off hand. You may come up with a more
| creative solution.

Well, I'm going to put a radio button for people to use the native PKCS11
or OpenSSL, and maybe create a slave port enabling the PKCS11 by default.
And add warnings telling people that this BIND can't be used as a
validating resolver. (it's not auth only, I assume it can still resolve,
but not validate.)

On the other hand, if the HSM selection has to be done at compile time,
like Evan suggest, and not at runtime through a named.conf directive, it's
a bit pointless, the only "HSM" we have in the ports collection being


Mathieu Arnold

More information about the bind-users mailing list