From: Matthijs Mekking Date: Mon, 18 Jan 2021 07:57:52 +0000 (+0100) Subject: Update documentation on -E option X-Git-Tag: v9.17.10~32^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9828dd17004dab24e228edd8fbe4d286ffd42ee;p=thirdparty%2Fbind9.git Update documentation on -E option The -E option does not default to pkcs11 if --with-pkcs11 is set, but always needs to be set explicitly. --- diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index a43bc160892..86f03750ae0 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -76,9 +76,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use. - When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 650975ac983..31c7b5ae51f 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -103,9 +103,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use, when applicable. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-revoke.rst b/bin/dnssec/dnssec-revoke.rst index ab8175ad3d6..31da670cc29 100644 --- a/bin/dnssec/dnssec-revoke.rst +++ b/bin/dnssec/dnssec-revoke.rst @@ -59,9 +59,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use, when applicable. - When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst index b631d9ae17b..731e35ff8bf 100644 --- a/bin/dnssec/dnssec-settime.rst +++ b/bin/dnssec/dnssec-settime.rst @@ -102,9 +102,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use, when applicable. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index 3eef88d93b6..a43d76954ad 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -69,9 +69,9 @@ Options This option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing, when applicable. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-verify.rst b/bin/dnssec/dnssec-verify.rst index f6d7e280a79..7f2ba531bb9 100644 --- a/bin/dnssec/dnssec-verify.rst +++ b/bin/dnssec/dnssec-verify.rst @@ -47,9 +47,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use, when applicable. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/named/named.rst b/bin/named/named.rst index 4b5c0329641..9b039cdbf02 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst @@ -72,9 +72,9 @@ Options When applicable, this option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/doc/man/dnssec-keyfromlabel.1in b/doc/man/dnssec-keyfromlabel.1in index 4816a522a96..56d5dc19efe 100644 --- a/doc/man/dnssec-keyfromlabel.1in +++ b/doc/man/dnssec-keyfromlabel.1in @@ -76,9 +76,9 @@ versions, then the NSEC3 version is used; for example, .B \fB\-E engine\fP This option specifies the cryptographic hardware to use. .sp -When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-keygen.1in b/doc/man/dnssec-keygen.1in index 4a1b2728409..057ff3d37f6 100644 --- a/doc/man/dnssec-keygen.1in +++ b/doc/man/dnssec-keygen.1in @@ -103,9 +103,9 @@ ECDSAP384SHA384, ED25519, and ED448. .B \fB\-E engine\fP This option specifies the cryptographic hardware to use, when applicable. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-revoke.1in b/doc/man/dnssec-revoke.1in index 76691d4c2c7..11c65032e5e 100644 --- a/doc/man/dnssec-revoke.1in +++ b/doc/man/dnssec-revoke.1in @@ -59,9 +59,9 @@ This option prints version information. .B \fB\-E engine\fP This option specifies the cryptographic hardware to use, when applicable. .sp -When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-settime.1in b/doc/man/dnssec-settime.1in index 753a5c205c8..32ae197b54d 100644 --- a/doc/man/dnssec-settime.1in +++ b/doc/man/dnssec-settime.1in @@ -102,9 +102,9 @@ This option sets the debugging level. .B \fB\-E engine\fP This option specifies the cryptographic hardware to use, when applicable. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-signzone.1in b/doc/man/dnssec-signzone.1in index 6f520029b98..e999d2d1fca 100644 --- a/doc/man/dnssec-signzone.1in +++ b/doc/man/dnssec-signzone.1in @@ -69,9 +69,9 @@ The resulting file can be included in the original zone file with This option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing, when applicable. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-verify.1in b/doc/man/dnssec-verify.1in index 8539d530b07..8d61ef690b4 100644 --- a/doc/man/dnssec-verify.1in +++ b/doc/man/dnssec-verify.1in @@ -47,9 +47,9 @@ This option specifies the DNS class of the zone. .B \fB\-E engine\fP This option specifies the cryptographic hardware to use, when applicable. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/named.8in b/doc/man/named.8in index 1c9ad8a233e..db3ddd4176b 100644 --- a/doc/man/named.8in +++ b/doc/man/named.8in @@ -72,9 +72,9 @@ in a process listing. The contents of \fBstring\fP are not examined. When applicable, this option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&.