> Well, I'm going to put a radio button for people to use the native PKCS11
> or OpenSSL, and maybe create a slave port enabling the PKCS11 by default.
> And add warnings telling people that this BIND can't be used as a
> validating resolver. (it's not auth only, I assume it can still resolve,
> but not validate.)
If the pkcs11 provider has a complete implementation of the pkcs11
API, then it can be used for validation. I don't advise it, but
it should work. (With SoftHSMv2, it might not even be all that
slow, since the code runs locally -- I haven't benchmarked it.)
> On the other hand, if the HSM selection has to be done at compile time,
> like Evan suggest, and not at runtime through a named.conf directive, it's
> a bit pointless, the only "HSM" we have in the ports collection being
> SoftHSM.
HSM selection can be postponed, actually; IIRC, you configure BIND
with --enable-native-pkcs11 but omit --with-pkcs11, then specify the
provider library on the command line ('named -E /path/to/libsofthsm.so').
We haven't made it a named.conf directive though; it hadn't occurred to me
before that anyone would want this for any purpose other than testing.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
