BIND 9.10.0b1 is now available
Mark Elkins
mje at posix.co.za
Mon Mar 17 21:41:07 UTC 2014
On Mon, 2014-03-17 at 20:06 +0000, Evan Hunt wrote:
> On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
> > Yes, it was my understanding of how HSM worked. That's why I was trying to
> > build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
> > side, and PKCS11 interface for zone signing on the other.
>
> I'd advise doing that with two separate BIND instances -- sign using
> pkcs11 (possibly on a hidden master) and keep that separate from your
> recursion/validation.
>
> I'm interested to read this, though, because it's a use case I hadn't
> considered. We'll have to give it some thought. But right now there
> are three options:
>
> - build with regular openssl, no pkcs11
> - build with patched openssl, pkcs11 available via openssl shim
> (configure --with-openssl=/path/to/openssl/prefix
> --with-pks11=/path/to/provider.so
> - build with native pkcs11, no openssl
> (configure --enable-native-pkcs11 --with-pkcs11=/path/to/provider.so)
I had not thought about that. BIND compiled with pkcs11 and no openssl
*has* to be used with an HSM (soft and Thales being the two tested
types) presumably as a Zone signer and can *not* be used as a DNSSEC
validating resolver.... (IMR)
One should be careful not to go mixing up the binaries!
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
More information about the bind-users
mailing list