> Well, I'm going to put a radio button for people to use the native PKCS11
> or OpenSSL, and maybe create a slave port enabling the PKCS11 by default.
> And add warnings telling people that this BIND can't be used as a
> validating resolver. (it's not auth only, I assume it can still resolve,
> bu
+--On 17 mars 2014 14:43:36 -0700 Doug Barton wrote:
| On 03/17/2014 01:06 PM, Evan Hunt wrote:
|> On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
|>> Yes, it was my understanding of how HSM worked. That's why I was trying
|>> to build with OpenSSL *and* native PKCS11, to get the D
On Mon, Mar 17, 2014 at 11:41:07PM +0200, Mark Elkins wrote:
> I had not thought about that. BIND compiled with pkcs11 and no openssl
> *has* to be used with an HSM (soft and Thales being the two tested
> types) presumably as a Zone signer and can *not* be used as a DNSSEC
> validating resolver
On Mon, 2014-03-17 at 20:06 +, Evan Hunt wrote:
> On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
> > Yes, it was my understanding of how HSM worked. That's why I was trying to
> > build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
> > side, and PKCS11 i
On 03/17/2014 01:06 PM, Evan Hunt wrote:
On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
Yes, it was my understanding of how HSM worked. That's why I was trying to
build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
side, and PKCS11 interface for zone sign
On Mar 16, 2014, at 3:32 AM, Bob McDonald wrote:
> Ok so it's not painless. Do the updates still get forwarded to the master by
> the slaves or do I need to have all Windows devices needing update capability
> to point at the master?
>
> TIA,
>
> Bob
I don't believe it works with update for
On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
> Yes, it was my understanding of how HSM worked. That's why I was trying to
> build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
> side, and PKCS11 interface for zone signing on the other.
I'd advise doing th
+--On 17 mars 2014 12:36:32 -0700 Doug Barton wrote:
| On 03/17/2014 12:29 PM, Mathieu Arnold wrote:
|> Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if
|> this seems a silly question.)
|
| HSMs are typically an auth-only tool, although I suppose that in a
| super-high-secur
On 03/17/2014 12:29 PM, Mathieu Arnold wrote:
Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if this
seems a silly question.)
HSMs are typically an auth-only tool, although I suppose that in a
super-high-security environment that they could be justified for
validation ...
+--On 17 mars 2014 17:51:33 + Evan Hunt wrote:
| This new code uses pkcs11 for all crypto, instead of using openssl as a
| shim. So yes, you can build with either native pkcs11 or openssl, but
| not both.
Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if this
seems a sil
> | Has anyone tried this yet? - either using SoftHSM or a Thales HSM?
> |
> | I have access to a totally unconfigured Thales netShield Connect 500.
> |
> | Without reading *all* the manuals - anyone have a HowTo setup to make
> | one of these beasties talk PKCS#11... a Goto page XX is acceptabl
+--On 17 mars 2014 18:56:25 +0200 Mark Elkins wrote:
| On Wed, 2014-02-26 at 00:55 +, Michael McNally wrote:
|>A new compile-time option, "configure --enable-native-pkcs11",
|>allows the BIND 9 cryptography functions to use the PKCS#11 API
|>natively, so that BIND can drive a crypt
On Wed, 2014-02-26 at 00:55 +, Michael McNally wrote:
>A new compile-time option, "configure --enable-native-pkcs11",
>allows the BIND 9 cryptography functions to use the PKCS#11 API
>natively, so that BIND can drive a cryptographic hardware service
>module (HSM) directly instea
Thanks for your reply.
Maybe I am a skeptic, but I am not skeptic of just bind, skeptic about
myself and any script that is generating zones, all I know that things
go wrong... including things caused by my own mistakes.
1. I now run a Bind and other DNS servers. I am not sure if inter
oper
Signed updates, that is...
On Sun, Mar 16, 2014 at 5:32 AM, Bob McDonald wrote:
> Ok so it's not painless. Do the updates still get forwarded to the master
> by the slaves or do I need to have all Windows devices needing update
> capability to point at the master?
>
> TIA,
>
> Bob
>
>
>
> On F
15 matches
Mail list logo
