PKCS#11 vs OpenSSL (BIND Future Development Question)

Mathieu Arnold mat at
Mon Jun 4 08:21:39 UTC 2018

On Sun, Jun 03, 2018 at 06:00:08AM +0000, Ondřej Surý wrote:
> The PKCS#11 interface is very fragile, as the different vendors implement different parts of the
> standard, and BIND needs to be compiled with a specific PKCS#11 provider defined at the
> compile time.  This is certainly suboptimal, and we are looking at ways how to improve that.

My understanding was that you had to choose at compile time wether you
needed PKCS#11 or OpenSSL, and that, even if you could link with a
specific provider during the build, you could opt-out and start named
with -E /path/to/ At least, it is the way it is done in the
FreeBSD ports tree.

Mathieu Arnold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <>

More information about the bind-users mailing list