24 lines
973 B
Plaintext
24 lines
973 B
Plaintext
When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
|
|
engine specified by the named_pkcss11_engine variable in
|
|
/etc/rc.conf for *all* crypto operations.
|
|
|
|
This is primarily intended to be used in an authoritative
|
|
case.
|
|
|
|
If BIND will also be operating as a validating resolver,
|
|
NATIVE_PKCS11 should not be used, because the HSM will be
|
|
used for DNSSEC validations, and the HSM is likely to be
|
|
slower than the CPU for this purpose. Additionally, the HSM
|
|
might not support all of the PKCS#11 API functions needed
|
|
for signature verification.
|
|
|
|
|
|
GOST
|
|
If using a chrooted instance of BIND, the OpenSSL engines
|
|
need to be accessible from within the chroot. If BIND
|
|
is chrooted in /var/named, this can be achieved by either
|
|
copying content of /usr/local/lib/engines into
|
|
/var/named/usr/local/lib/engines, or by creating that
|
|
directory and adding this line to /etc/fstab:
|
|
/usr/local/lib/engines /var/named/usr/local/lib/engines nullfs ro 0 0
|