Using a PCIe HSM card with BIND

Ondřej Surý ondrej at isc.org
Wed Mar 12 19:42:33 UTC 2025 

Hi Sergio,

the BIND 9 documentation covers this:

https://bind9.readthedocs.io/en/v9.18.34/chapter5.html#pkcs-11-cryptoki-support

Since you are using OpenSSL you must ensure that Legacy engines are enabled.

I would however recommend switching to 9.20.6 that has support for more modern
OpenSSL Providers (5.5.6 and onwards):

https://bind9.readthedocs.io/en/v9.20.6/chapter5.html#pkcs-11-cryptoki-support

Cheers,
--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 12. 3. 2025, at 20:29, Sergio Ramirez <sramirez at seciu.edu.uy> wrote:
> 
> Hi,
>    We need to integrate a "Thales Luna HSM PCIe 7" card, that we just purchased, with the most updated BIND version that works in this scenario.
> 
> We had followed carefully the instructions given by the Thales documents but we had not succefull results. Also, we had contacted the Thales premium technical support services but this services are poor, and at the moment they did not give us a solution. 
> 
> For this reason we would like to ask you, if someone has expirience integrating BIND with Thales HSM card with newer versions (in the past we had done this integration succefully with older BIND versions and older Thales HSM cards).
> 
> The versions that we are using now are:
> 
> Linux 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux
> OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
> BIND 9.18.32 (Extended Support Version) <id:d1f1392>
> 
> HSM Luna PCIe 7 card with firmware 7.0.3.
> 
> We are very satisfied with BIND software, unfortunately  if we can not find a solution, perhaps we will need to change the DNS server software for other compatible with newer HSM Thales card.
> 
> Thanks in advance.
> 
> --
> Sergio R.
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list