BIND 9.10.0b1 is now available
Doug Barton
dougb at dougbarton.us
Mon Mar 17 21:43:36 UTC 2014
On 03/17/2014 01:06 PM, Evan Hunt wrote:
> On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
>> Yes, it was my understanding of how HSM worked. That's why I was trying to
>> build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
>> side, and PKCS11 interface for zone signing on the other.
>
> I'd advise doing that with two separate BIND instances -- sign using
> pkcs11 (possibly on a hidden master) and keep that separate from your
> recursion/validation.
Evan, I think that Mathieu understands that from a "proper DNS
functionality" perspective. What he's struggling with is that the way
FreeBSD ports are set up they don't really have a "flag" for "This
configuration of options will give you an authoritative-only server that
you cannot use for general purpose recursion/validation" within a
specific set of options for the general purpose port.
Mathieu, if I may, what I would do in this situation is create a slave
port for the HSM compile options, and put some sort of warning
(pre-compile, pkg-message, or both) that clearly indicates to the user
that this configuration is limited to auth-only. That's the least
painful way I can think of to deal with it off hand. You may come up
with a more creative solution.
hth,
Doug
More information about the bind-users
mailing list