BIND 9.10.0b1 is now available

Evan Hunt each at
Tue Mar 18 00:56:13 UTC 2014

> Well, I'm going to put a radio button for people to use the native PKCS11
> or OpenSSL, and maybe create a slave port enabling the PKCS11 by default.
> And add warnings telling people that this BIND can't be used as a
> validating resolver. (it's not auth only, I assume it can still resolve,
> but not validate.)

If the pkcs11 provider has a complete implementation of the pkcs11
API, then it can be used for validation. I don't advise it, but
it should work. (With SoftHSMv2, it might not even be all that
slow, since the code runs locally -- I haven't benchmarked it.)

> On the other hand, if the HSM selection has to be done at compile time,
> like Evan suggest, and not at runtime through a named.conf directive, it's
> a bit pointless, the only "HSM" we have in the ports collection being
> SoftHSM.

HSM selection can be postponed, actually; IIRC, you configure BIND
with --enable-native-pkcs11 but omit --with-pkcs11, then specify the
provider library on the command line ('named -E /path/to/').
We haven't made it a named.conf directive though; it hadn't occurred to me
before that anyone would want this for any purpose other than testing.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list