Minor tweaks to PKCS#11 docs and ARM formatting

Explain more clearly what engine_pkcs11 is. Fix improperly rendered pre-formatted text.
2025-08-31 22:45:39 +00:00 · 2021-10-11 14:39:06 +02:00
parent b964ec71eb
commit 9af0b8dbf4
2 changed files with 22 additions and 4 deletions
--- a/doc/arm/pkcs11.rst
+++ b/doc/arm/pkcs11.rst
@@ -22,10 +22,13 @@ library which provides a low-level PKCS#11 interface to drive the HSM
 hardware. The PKCS#11 provider library comes from the HSM vendor, and it
 is specific to the HSM to be controlled.
-BIND 9 uses OpenSSL engine_pkcs11 from the OpenSC project.  The engine is
+BIND 9 uses engine_pkcs11 for PKCS#11. engine_pkcs11 is an OpenSSL
-dynamically loaded into OpenSSL and the HSM is operated indirectly; any
+engine which is part of the `OpenSC`_ project. The engine is dynamically
-cryptographic operations not supported by the HSM can be carried out by OpenSSL
+loaded into OpenSSL and the HSM is operated indirectly; any
-instead.
+cryptographic operations not supported by the HSM can be carried out by
 OpenSSL instead.
 .. _OpenSC: https://github.com/OpenSC/libp11
 Prerequisites
 ~~~~~~~~~~~~~
@@ -93,22 +96,26 @@ going to copy the global OpenSSL configuration (often found in
 ``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11.
 ::
   cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf
 and export the environment variable:
 ::
   export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf
 Now add following line at the top of file, before any sections (in square
 brackets) are defined:
 ::
   openssl_conf = openssl_init
 And add following lines at the bottom of the file:
 ::
   [openssl_init]
   engines=engine_section
@@ -153,31 +160,37 @@ name of the PKCS#11 object (called label when generating the keys using
 Convert the KSK:
 ::
   dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net
 and ZSK:
 ::
   dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-zsk;pin-value=0000" example.net
 NOTE: you can use PIN stored on disk, by specifying ``pin-source=<path_to>/<file>``, f.e.:
 ::
   (umask 0700 && echo -n 0000 > /opt/bind9/etc/pin.txt)
 and then use in the label specification:
 ::
   pin-source=/opt/bind9/etc/pin.txt
 Confirm that you have one KSK and one ZSK present in the current directory:
 ::
   ls -l K*
 The output should look like this (the second number will be different):
 ::
   Kexample.net.+008+31729.key
   Kexample.net.+008+31729.private
   Kexample.net.+008+42231.key
@@ -196,6 +209,7 @@ The zone signing commences as usual, with only one small difference.  We need to
 provide the name of the OpenSSL engine using the -E command line option.
 ::
   dnssec-signzone -E pkcs11 -S -o example.net example.net
 Running ``named`` With Automatic Zone Re-signing
@@ -205,11 +219,13 @@ The zone can also be signed automatically by named. Again, we need to provide
 the name of the OpenSSL engine using the -E command line option.
 ::
   named -E pkcs11 -c named.conf
 and the logs should have lines like:
 ::
   Fetching example.net/RSASHA256/31729 (KSK) from key repository.
   DNSKEY example.net/RSASHA256/31729 (KSK) is now published
   DNSKEY example.net/RSA256SHA256/31729 (KSK) is now active
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4818,6 +4818,7 @@ A Diffie-Hellman parameters file can be generated using e.g. OpenSSL,
 like follows:
 ::
   openssl dhparam -out /path/to/dhparam.pem <3072_or_4096>
 Ensure that it gets generated on a machine with enough entropy from
@@ -6654,6 +6655,7 @@ be converted to ``text`` format by the ``named-compilezone`` command,
 then converted back after editing.  For example:
 ::
    named-compilezone -f raw -F text -o zonefile.text <origin> zonefile.raw
    [edit zonefile.text]
    named-compilezone -f text -F raw -o zonefile.raw <origin> zonefile.text