mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

[master] add text clarifying native-pkcs11

Browse Source
This commit is contained in:
Evan Hunt
2014-02-28 08:10:44 -08:00
parent 368aedf188
commit e94261f0bc
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
README
View File

@@ -120,9 +120,12 @@ BIND 9.10.0
allows BIND 9 cryptography functions to use the PKCS#11 API allows BIND 9 cryptography functions to use the PKCS#11 API
natively, so that BIND can drive a cryptographic hardware natively, so that BIND can drive a cryptographic hardware
service module (HSM) directly instead of using a modified service module (HSM) directly instead of using a modified
OpenSSL as an intermediary. This has been tested with the OpenSSL as an intermediary. (Note: This feature requires an
Thales nShield HSM and with SoftHSMv2 from the Open DNSSEC HSM to have a full implementation of the PKCS#11 API; many
project. current HSMs only have partial implementations. The new
"pkcs11-tokens" command can be used to check API completeness.
Native PKCS#11 is known to work with the Thales nShield HSM
and with SoftHSM version 2 from the Open DNSSEC project.)
- The new "max-zone-ttl" option enforces maximum TTLs for - The new "max-zone-ttl" option enforces maximum TTLs for
zones. This can simplify the process of rolling DNSSEC keys zones. This can simplify the process of rolling DNSSEC keys
by guaranteeing that cached signatures will have expired by guaranteeing that cached signatures will have expired