On 03/17/2014 01:06 PM, Evan Hunt wrote:
On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
Yes, it was my understanding of how HSM worked. That's why I was trying to
build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
side, and PKCS11 interface for zone signing on the other.
I'd advise doing that with two separate BIND instances -- sign using
pkcs11 (possibly on a hidden master) and keep that separate from your
recursion/validation.
Evan, I think that Mathieu understands that from a "proper DNS
functionality" perspective. What he's struggling with is that the way
FreeBSD ports are set up they don't really have a "flag" for "This
configuration of options will give you an authoritative-only server that
you cannot use for general purpose recursion/validation" within a
specific set of options for the general purpose port.
Mathieu, if I may, what I would do in this situation is create a slave
port for the HSM compile options, and put some sort of warning
(pre-compile, pkg-message, or both) that clearly indicates to the user
that this configuration is limited to auth-only. That's the least
painful way I can think of to deal with it off hand. You may come up
with a more creative solution.
hth,
Doug
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users