Update documentation on -E option

The -E option does not default to pkcs11 if --with-pkcs11 is set,
but always needs to be set explicitly.

diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst
index a43bc160892e20468493aac72e659cc7c32d1c9a..86f03750ae0fb20661f693efa2b6a53dee6bb5b6 100644 (file)
--- a/bin/dnssec/dnssec-keyfromlabel.rst
+++ b/bin/dnssec/dnssec-keyfromlabel.rst
@@ -76,9 +76,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use.
 
-   When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst
index 650975ac983866f9360b92bbfe2867ecf9a1631f..31c7b5ae51f0ed392bb63b92da827457b4fd082f 100644 (file)
--- a/bin/dnssec/dnssec-keygen.rst
+++ b/bin/dnssec/dnssec-keygen.rst
@@ -103,9 +103,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-revoke.rst b/bin/dnssec/dnssec-revoke.rst
index ab8175ad3d6215cf99c386e53bd36fed0d6bd778..31da670cc2972fed89c61a45e468374d8caebef9 100644 (file)
--- a/bin/dnssec/dnssec-revoke.rst
+++ b/bin/dnssec/dnssec-revoke.rst
@@ -59,9 +59,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst
index b631d9ae17b75389e8fbecccb5b7058a6c347257..731e35ff8bf8076b3280afa37752747ca2a95ec5 100644 (file)
--- a/bin/dnssec/dnssec-settime.rst
+++ b/bin/dnssec/dnssec-settime.rst
@@ -102,9 +102,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index 3eef88d93b62c2c187a42d2fef9e8c17427d3b6d..a43d76954ad5e6f2ef8ce6053e5fc27d478e2a74 100644 (file)
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -69,9 +69,9 @@ Options
    This option specifies the hardware to use for cryptographic
    operations, such as a secure key store used for signing, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-verify.rst b/bin/dnssec/dnssec-verify.rst
index f6d7e280a795ad4e5ee37874805d15e3f6155c4b..7f2ba531bb93388d9e23965b3aa73ca8aee0289f 100644 (file)
--- a/bin/dnssec/dnssec-verify.rst
+++ b/bin/dnssec/dnssec-verify.rst
@@ -47,9 +47,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/named/named.rst b/bin/named/named.rst
index 4b5c0329641bec0a9d92967415f40d5d6224e8f2..9b039cdbf0280aa5a7134814c063224c5a849aea 100644 (file)
--- a/bin/named/named.rst
+++ b/bin/named/named.rst
@@ -72,9 +72,9 @@ Options
    When applicable, this option specifies the hardware to use for cryptographic
    operations, such as a secure key store used for signing.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/doc/man/dnssec-keyfromlabel.1in b/doc/man/dnssec-keyfromlabel.1in
index 4816a522a96b076ca1ff509e88349cb91b769f05..56d5dc19efe7b001b3cc944ab23678c9bfbb4d0e 100644 (file)
--- a/doc/man/dnssec-keyfromlabel.1in
+++ b/doc/man/dnssec-keyfromlabel.1in
@@ -76,9 +76,9 @@ versions, then the NSEC3 version is used; for example,
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use.
 .sp
-When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-keygen.1in b/doc/man/dnssec-keygen.1in
index 4a1b27284094ce80b282b17a360b6d9b3640ed96..057ff3d37f6f975d4928081b32d09ef1c03c6cdc 100644 (file)
--- a/doc/man/dnssec-keygen.1in
+++ b/doc/man/dnssec-keygen.1in
@@ -103,9 +103,9 @@ ECDSAP384SHA384, ED25519, and ED448.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-revoke.1in b/doc/man/dnssec-revoke.1in
index 76691d4c2c759887203f96337e90dbfe70d6c0a0..11c65032e5e7c05f72a50578f66485857933764b 100644 (file)
--- a/doc/man/dnssec-revoke.1in
+++ b/doc/man/dnssec-revoke.1in
@@ -59,9 +59,9 @@ This option prints version information.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-settime.1in b/doc/man/dnssec-settime.1in
index 753a5c205c8c506fa7ff1114083730ece81f3a4b..32ae197b54d5e80b8f45ea6fa918d73eb83e2657 100644 (file)
--- a/doc/man/dnssec-settime.1in
+++ b/doc/man/dnssec-settime.1in
@@ -102,9 +102,9 @@ This option sets the debugging level.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-signzone.1in b/doc/man/dnssec-signzone.1in
index 6f520029b98ef2bbaa82af80b6f2c97522f9f4d9..e999d2d1fca2d0c5ba4dc6735985a6821021b8a5 100644 (file)
--- a/doc/man/dnssec-signzone.1in
+++ b/doc/man/dnssec-signzone.1in
@@ -69,9 +69,9 @@ The resulting file can be included in the original zone file with
 This option specifies the hardware to use for cryptographic
 operations, such as a secure key store used for signing, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-verify.1in b/doc/man/dnssec-verify.1in
index 8539d530b0702757ba37f24ffaed78f93a2642b0..8d61ef690b42f385cdfa7a58f405f61fdb83a464 100644 (file)
--- a/doc/man/dnssec-verify.1in
+++ b/doc/man/dnssec-verify.1in
@@ -47,9 +47,9 @@ This option specifies the DNS class of the zone.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/named.8in b/doc/man/named.8in
index 1c9ad8a233e3a42a02e6ae18f243b81663be7cee..db3ddd4176b148021809115f5203d7503f515917 100644 (file)
--- a/doc/man/named.8in
+++ b/doc/man/named.8in
@@ -72,9 +72,9 @@ in a process listing. The contents of \fBstring\fP are not examined.
 When applicable, this option specifies the hardware to use for cryptographic
 operations, such as a secure key store used for signing.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.