-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My understanding is that you don't need this unless you're planning on using hardware security modules. You can still generate and manage keys without pkcs11.
See: http://www.isc.org/software/bind/new-features/9.7 cv Timothy Holtzen wrote: > Has anyone been able to get 9.7.1-P2 to build with pkcs11 and run on > RHEL/CentOS 5? I appear to be able to configure and make without any > problems but when I go to run it I get the following error in the log. > > named[14899]: starting BIND 9.7.1-P2 -c /etc/named.conf -t /var/named/chroot > named[14899]: built with '--with-libtool' '--localstatedir=/var' > '--disable-threads' '--enable-ipv6' '--disable-static' '--with-pic' > '--disable-openssl-version-check' > '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-gssapi=yes' > '--disable-isc-spnego' > named[14899]: using up to 4096 sockets > named[14899]: initializing DST: no engine > named[14899]: exiting (due to fatal error) > >>From what I have been able to deduce this means that bind can't find or > use the pkcs11 encryption engine. Compiling without the "--with-pkcs11" > option produces a functional executable. Stangely the exact same > configuration options worked just fine with 9.7.0 so something seems to > have changed between those releases. My ultimate goal is to do a full > DNSSEC depolyment so I'm guessing the pkcs11 option is going to be > required if I want to generate and manage keys etc. Anyone have any > ideas? I suspect that I'm missing some encription library or something. > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMdZX2DADXcoYj2ZwRAuggAJ49JS5iERRDzRuzZu7D9B3c8Ui7bQCcCb0R deKtj3MANUTquQilmCJ7Dsw= =tHat -----END PGP SIGNATURE----- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
