PKCS#11 stuff: "sign-only" vs "crypto-accelerator"

Evan Hunt each at isc.org
Thu Feb 11 01:27:21 UTC 2010


> Of course. So there needs to be meta data. Meta data per zone, not per key.

No, per key.  This stuff relates to the lifecycle of the individual key
(created at time t1, published at t2, activated at t3, deactivated/revoked
at t4, unpublished at t5, succeeded by key K...).

Per-key information could be stored in a single file rather than a
directory (in a database file, or XML, or whatever).  But that's sort
of semantic.

> I understand that it is too late for 9.7.0, but when(!) you change this
> in a future release, please consider not locating it in K*.meta but
> rather in a file per zone with a predictable name. Having to scan
> directories is not a great idea.

In the meantime, I recommend using a different key-directory for each zone.

                                        eh




More information about the bind-workers mailing list