kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/dns/bind911/pkg-help
Mathieu Arnold 022e70ccdc Introduce BIND9 9.11.0b1. (beta1) 
BIND 9.11 brings many changes to BIND, including a new license
(the Mozilla Public License 2.0 -- you can read about it here:
https://www.isc.org/blogs/bind9-adopts-the-mpl-2-0-license-with-bind-9-11-0/)
and many new features, including:

-  Catalog zones, a new way to provision zones on slave servers
-  dyndb api, a fast new api enabling BIND to serve zones stored
   in a database (Developed by Petr Spacek of RedHat)
-  RNDC showzone, view-only mode and other improvements
-  dnstap query and response logging (Robert Edmonds is the author
   of dnstap, see www.dnstap.info)
-  EDNS Client-subnet (authoritative server functions)
-  DNSSEC key manager, a new utility (Thanks to Sebastián Castro
   for helping with development.)
-  Automatic CDS/CDSKEY generation
-  Negative Trust Anchors for DNSSEC validators
-  IPv6 bias to encourage use of IPv6 DNS servers
-  Minimal response to “any” queries (Thanks to Tony Finch for
   the contribution)
-  DNS Cookies are now enabled by default, using the standardized code point

Changes:	https://lists.isc.org/pipermail/bind-announce/2016-June/000994.html
Sponsored by:	Absolight
2016-07-04 09:47:25 +00:00

30 lines
1.2 KiB
Text
Raw Blame History

NATIVE_PKCS11
When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
engine specified by the named_pkcss11_engine variable in
/etc/rc.conf for *all* crypto operations.
This is primarily intended to be used in an authoritative
case.
If BIND is also operating as a validating resolver,
NATIVE_PKCS11 should not be used, because the HSM will be
used for all crypto, including DNSSEC validations, and the
HSM is likely to be slower than the CPU for this purpose.
Additionally, the HSM might not support all of the PKCS#11
API functions needed for signature verification.
GOST
If using a chrooted instance of BIND on FreeBSD 8.x and 9.x,
the OpenSSL engines MUST be accessible from within the chroot.
If BIND is chrooted in /var/named, this can be achieved by
either copying content of /usr/local/lib/engines into
/var/named/usr/local/lib/engines, or by creating that directory
and adding this line to /etc/fstab:
/usr/local/lib/engines /var/named/usr/local/lib/engines nullfs ro 0 0
START_LATE
Most of the time, BIND needs to start early in the boot
process. Enable this if BIND starts too early for you and
you need it to start later.
Reference in a new issue View git blame Copy permalink