ee84f127aa
https://kb.isc.org/article/AA-01314/0 Tunes certain compiled-in constants and default settings to values better suited to large servers with 12/16GB+ of memory. This can improve performance on such servers, but will consume more memory and may degrade performance on smaller systems. PR: 224859 Sponsored by: Absolight
28 lines
1.1 KiB
Text
28 lines
1.1 KiB
Text
NATIVE_PKCS11
|
|
When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
|
|
engine specified by the named_pkcss11_engine variable in
|
|
/etc/rc.conf for *all* crypto operations.
|
|
|
|
This is primarily intended to be used in an authoritative
|
|
case.
|
|
|
|
If BIND is also operating as a validating resolver,
|
|
NATIVE_PKCS11 should not be used, because the HSM will be
|
|
used for all crypto, including DNSSEC validations, and the
|
|
HSM is likely to be slower than the CPU for this purpose.
|
|
Additionally, the HSM might not support all of the PKCS#11
|
|
API functions needed for signature verification.
|
|
|
|
|
|
START_LATE
|
|
Most of the time, BIND needs to start early in the boot
|
|
process. Enable this if BIND starts too early for you and
|
|
you need it to start later.
|
|
|
|
|
|
TUNING_LARGE
|
|
https://kb.isc.org/article/AA-01314/0
|
|
Tunes certain compiled-in constants and default settings to
|
|
values better suited to large servers with 12/16GB+ of memory.
|
|
This can improve performance on such servers, but will consume
|
|
more memory and may degrade performance on smaller systems.
|