diff options
author | Mathieu Arnold <mat@FreeBSD.org> | 2017-10-25 16:12:04 +0000 |
---|---|---|
committer | Mathieu Arnold <mat@FreeBSD.org> | 2017-10-25 16:12:04 +0000 |
commit | 2414c4bce8d4ba62e96dcd6ce4303ab984ede3a6 (patch) | |
tree | ecfdca6ce5c6f1d1cfd0282bf19eec4fcf2fd1dc /dns/bind912/pkg-help | |
parent | c02e5e929858000e762cad3bf21574ca56886f3c (diff) | |
download | ports-2414c4bce8d4ba62e96dcd6ce4303ab984ede3a6.tar.gz ports-2414c4bce8d4ba62e96dcd6ce4303ab984ede3a6.zip |
Notes
Diffstat (limited to 'dns/bind912/pkg-help')
-rw-r--r-- | dns/bind912/pkg-help | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/dns/bind912/pkg-help b/dns/bind912/pkg-help new file mode 100644 index 000000000000..aa85330b21d7 --- /dev/null +++ b/dns/bind912/pkg-help @@ -0,0 +1,30 @@ + NATIVE_PKCS11 +When using the NATIVE_PKCS11 option, BIND will use the PKCS#11 +engine specified by the named_pkcss11_engine variable in +/etc/rc.conf for *all* crypto operations. + +This is primarily intended to be used in an authoritative +case. + +If BIND is also operating as a validating resolver, +NATIVE_PKCS11 should not be used, because the HSM will be +used for all crypto, including DNSSEC validations, and the +HSM is likely to be slower than the CPU for this purpose. +Additionally, the HSM might not support all of the PKCS#11 +API functions needed for signature verification. + + + GOST +If using a chrooted instance of BIND on FreeBSD 8.x and 9.x, +the OpenSSL engines MUST be accessible from within the chroot. +If BIND is chrooted in /var/named, this can be achieved by +either copying content of /usr/local/lib/engines into +/var/named/usr/local/lib/engines, or by creating that directory +and adding this line to /etc/fstab: +/usr/local/lib/engines /var/named/usr/local/lib/engines nullfs ro 0 0 + + + START_LATE +Most of the time, BIND needs to start early in the boot +process. Enable this if BIND starts too early for you and +you need it to start later. |