Add deprecation notice about --enable-native-pkcs11 to configure.ac

The native PKCS#11 feature has been removed in BIND 9.18, so we need to
add a deprecation notice (warning at ./configure time) to the next 9.16
release.

diff --git a/configure b/configure
index b8c5b0fe6d640f95224a52c019628a6c169b8323..6c2c554dd71907c619471d518a11e87229ff7ce7 100755 (executable)
--- a/configure
+++ b/configure
@@ -26364,6 +26364,19 @@ report() {
     test "$CRYPTO" = "pkcs11" && (
        echo "    Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
        echo "    PKCS#11 module (--with-pkcs11): $with_pkcs11"
+       echo "    +--------------------------------------------+"
+       echo "    |             ==== WARNING ====              |"
+       echo "    |                                            |"
+       echo "    | The use of native PKCS#11 for Public-Key   |"
+       echo "    | Cryptography in BIND 9 has been deprecated |"
+       echo "    | in favor of OpenSSL engine_pkcs11 from the |"
+       echo "    | OpenSC project. The --with-native-pkcs11   |"
+       echo "    | configuration option will be removed from  |"
+       echo "    | the next major BIND 9 release. The option  |"
+       echo "    | to use the engine_pkcs11 OpenSSL engine is |"
+       echo "    | already available in BIND 9; please see    |"
+       echo "    | the ARM section on PKCS#11 for details.    |"
+       echo "    +--------------------------------------------+"
     )
 
     echo "    Dynamically loadable zone (DLZ) drivers:"

diff --git a/configure.ac b/configure.ac
index d654eb6bb9d8d6dc08d7848c3f2bb500f9ed50d7..a30f078a8abb799f21bc57e9ced35a3f581c6fa1 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -2991,6 +2991,19 @@ report() {
     test "$CRYPTO" = "pkcs11" && (
        echo "    Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
        echo "    PKCS#11 module (--with-pkcs11): $with_pkcs11"
+       echo "    +--------------------------------------------+"
+       echo "    |             ==== WARNING ====              |"
+       echo "    |                                            |"
+       echo "    | The use of native PKCS#11 for Public-Key   |"
+       echo "    | Cryptography in BIND 9 has been deprecated |"
+       echo "    | in favor of OpenSSL engine_pkcs11 from the |"
+       echo "    | OpenSC project. The --with-native-pkcs11   |"
+       echo "    | configuration option will be removed from  |"
+       echo "    | the next major BIND 9 release. The option  |"
+       echo "    | to use the engine_pkcs11 OpenSSL engine is |"
+       echo "    | already available in BIND 9; please see    |"
+       echo "    | the ARM section on PKCS#11 for details.    |"
+       echo "    +--------------------------------------------+"
     )
 
     echo "    Dynamically loadable zone (DLZ) drivers:"