On Mon, 2014-03-17 at 20:06 +0000, Evan Hunt wrote: > On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: > > Yes, it was my understanding of how HSM worked. That's why I was trying to > > build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one > > side, and PKCS11 interface for zone signing on the other. > > I'd advise doing that with two separate BIND instances -- sign using > pkcs11 (possibly on a hidden master) and keep that separate from your > recursion/validation. > > I'm interested to read this, though, because it's a use case I hadn't > considered. We'll have to give it some thought. But right now there > are three options: > > - build with regular openssl, no pkcs11 > - build with patched openssl, pkcs11 available via openssl shim > (configure --with-openssl=/path/to/openssl/prefix > --with-pks11=/path/to/provider.so > - build with native pkcs11, no openssl > (configure --enable-native-pkcs11 --with-pkcs11=/path/to/provider.so)
I had not thought about that. BIND compiled with pkcs11 and no openssl *has* to be used with an HSM (soft and Thales being the two tested types) presumably as a Zone signer and can *not* be used as a DNSSEC validating resolver.... (IMR) One should be careful not to go mixing up the binaries! -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users