> Well, I'm going to put a radio button for people to use the native PKCS11 > or OpenSSL, and maybe create a slave port enabling the PKCS11 by default. > And add warnings telling people that this BIND can't be used as a > validating resolver. (it's not auth only, I assume it can still resolve, > but not validate.)
If the pkcs11 provider has a complete implementation of the pkcs11 API, then it can be used for validation. I don't advise it, but it should work. (With SoftHSMv2, it might not even be all that slow, since the code runs locally -- I haven't benchmarked it.) > On the other hand, if the HSM selection has to be done at compile time, > like Evan suggest, and not at runtime through a named.conf directive, it's > a bit pointless, the only "HSM" we have in the ports collection being > SoftHSM. HSM selection can be postponed, actually; IIRC, you configure BIND with --enable-native-pkcs11 but omit --with-pkcs11, then specify the provider library on the command line ('named -E /path/to/libsofthsm.so'). We haven't made it a named.conf directive though; it hadn't occurred to me before that anyone would want this for any purpose other than testing. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users