d4de1a5f8c
While there: Make it more maintainable by sorting stuff in the Makefile and removing vestigial pre 10.3 things. Refresh the root zone hints. "Fix" the configuration section telling you to get some top level zones from f.root-servers.net, which does not allow axfr any more. [1] PR: 218656 [1] Reported by: Thomas Steen Rasmussen / Tykling [1] MFH: 2017Q2 Sponsored by: Absolight
20 lines
781 B
Text
20 lines
781 B
Text
NATIVE_PKCS11
|
|
When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
|
|
engine specified by the named_pkcss11_engine variable in
|
|
/etc/rc.conf for *all* crypto operations.
|
|
|
|
This is primarily intended to be used in an authoritative
|
|
case.
|
|
|
|
If BIND is also operating as a validating resolver,
|
|
NATIVE_PKCS11 should not be used, because the HSM will be
|
|
used for all crypto, including DNSSEC validations, and the
|
|
HSM is likely to be slower than the CPU for this purpose.
|
|
Additionally, the HSM might not support all of the PKCS#11
|
|
API functions needed for signature verification.
|
|
|
|
|
|
START_LATE
|
|
Most of the time, BIND needs to start early in the boot
|
|
process. Enable this if BIND starts too early for you and
|
|
you need it to start later.
|