On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: > Yes, it was my understanding of how HSM worked. That's why I was trying to > build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one > side, and PKCS11 interface for zone signing on the other.
I'd advise doing that with two separate BIND instances -- sign using pkcs11 (possibly on a hidden master) and keep that separate from your recursion/validation. I'm interested to read this, though, because it's a use case I hadn't considered. We'll have to give it some thought. But right now there are three options: - build with regular openssl, no pkcs11 - build with patched openssl, pkcs11 available via openssl shim (configure --with-openssl=/path/to/openssl/prefix --with-pks11=/path/to/provider.so - build with native pkcs11, no openssl (configure --enable-native-pkcs11 --with-pkcs11=/path/to/provider.so) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users