Update documentation on -E option

The -E option does not default to pkcs11 if --with-pkcs11 is set,
but always needs to be set explicitly.

(cherry picked from commit 0536375d4cf61c9b570a32e808dde78a7ef859bf)

diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst
index a43bc160892e20468493aac72e659cc7c32d1c9a..86f03750ae0fb20661f693efa2b6a53dee6bb5b6 100644 (file)
--- a/bin/dnssec/dnssec-keyfromlabel.rst
+++ b/bin/dnssec/dnssec-keyfromlabel.rst
@@ -76,9 +76,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use.
 
-   When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst
index 4c0fe20c2188fba137c315a4055fa7daef06b8c0..61006d2fc8332391a77a8e40bb6e1b77e929dac2 100644 (file)
--- a/bin/dnssec/dnssec-keygen.rst
+++ b/bin/dnssec/dnssec-keygen.rst
@@ -109,9 +109,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-revoke.rst b/bin/dnssec/dnssec-revoke.rst
index ab8175ad3d6215cf99c386e53bd36fed0d6bd778..31da670cc2972fed89c61a45e468374d8caebef9 100644 (file)
--- a/bin/dnssec/dnssec-revoke.rst
+++ b/bin/dnssec/dnssec-revoke.rst
@@ -59,9 +59,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst
index 426ed15b3aec09e49780d584a4a6767369eb2023..63701fd0d24264708a039c4b8058ffb20e84a543 100644 (file)
--- a/bin/dnssec/dnssec-settime.rst
+++ b/bin/dnssec/dnssec-settime.rst
@@ -102,9 +102,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index 3eef88d93b62c2c187a42d2fef9e8c17427d3b6d..a43d76954ad5e6f2ef8ce6053e5fc27d478e2a74 100644 (file)
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -69,9 +69,9 @@ Options
    This option specifies the hardware to use for cryptographic
    operations, such as a secure key store used for signing, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/dnssec/dnssec-verify.rst b/bin/dnssec/dnssec-verify.rst
index f6d7e280a795ad4e5ee37874805d15e3f6155c4b..7f2ba531bb93388d9e23965b3aa73ca8aee0289f 100644 (file)
--- a/bin/dnssec/dnssec-verify.rst
+++ b/bin/dnssec/dnssec-verify.rst
@@ -47,9 +47,9 @@ Options
 ``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/bin/named/named.rst b/bin/named/named.rst
index fa2dc91cc4c3fb02fa2755c2eaf0d727d58e3efa..6fd8f8760b02ab9931a49e024b96a17dd0fd640a 100644 (file)
--- a/bin/named/named.rst
+++ b/bin/named/named.rst
@@ -72,9 +72,9 @@ Options
    When applicable, this option specifies the hardware to use for cryptographic
    operations, such as a secure key store used for signing.
 
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
    built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
    defaults to the path of the PKCS#11 provider library specified via
    ``--with-pkcs11``.

diff --git a/doc/man/dnssec-keyfromlabel.8in b/doc/man/dnssec-keyfromlabel.8in
index 82172a75a484c24c66bb3defe46e246c07c03d95..5375ce065e7d241a15e34250477ef597f863b691 100644 (file)
--- a/doc/man/dnssec-keyfromlabel.8in
+++ b/doc/man/dnssec-keyfromlabel.8in
@@ -76,9 +76,9 @@ versions, then the NSEC3 version is used; for example,
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use.
 .sp
-When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-keygen.8in b/doc/man/dnssec-keygen.8in
index 05ee33497ad3b09380d5370ffa1fcfa3a289e1d3..fef5da0dbb3abf26c93daf2ccca51c2ae884ea3a 100644 (file)
--- a/doc/man/dnssec-keygen.8in
+++ b/doc/man/dnssec-keygen.8in
@@ -109,9 +109,9 @@ ECDSAP384SHA384, ED25519, and ED448.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-revoke.8in b/doc/man/dnssec-revoke.8in
index 4fb367fbadfd7efbb752493593dfdb96b2d2c512..bd640fd79f85dd594dc990a37e7a8c8578c03314 100644 (file)
--- a/doc/man/dnssec-revoke.8in
+++ b/doc/man/dnssec-revoke.8in
@@ -59,9 +59,9 @@ This option prints version information.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-settime.8in b/doc/man/dnssec-settime.8in
index 3bb19506c968f9e6b06158e8d62f1e214122ca61..8523ef305f24f2bb4c8e5136dc7cc73e1f7877f5 100644 (file)
--- a/doc/man/dnssec-settime.8in
+++ b/doc/man/dnssec-settime.8in
@@ -102,9 +102,9 @@ This option sets the debugging level.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-signzone.8in b/doc/man/dnssec-signzone.8in
index 80df81592fd2e88a546e0e06ff9f54e02528a465..f0a29b017dc9fcb5afd3c1d27011c5e14dcc9ad6 100644 (file)
--- a/doc/man/dnssec-signzone.8in
+++ b/doc/man/dnssec-signzone.8in
@@ -69,9 +69,9 @@ The resulting file can be included in the original zone file with
 This option specifies the hardware to use for cryptographic
 operations, such as a secure key store used for signing, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/dnssec-verify.8in b/doc/man/dnssec-verify.8in
index 06d2160dd52605ddbf66c019480004bdaaea99fb..9f5aee31d513e01e0fe2b3f097a14db29c3b05ff 100644 (file)
--- a/doc/man/dnssec-verify.8in
+++ b/doc/man/dnssec-verify.8in
@@ -47,9 +47,9 @@ This option specifies the DNS class of the zone.
 .B \fB\-E engine\fP
 This option specifies the cryptographic hardware to use, when applicable.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.

diff --git a/doc/man/named.8in b/doc/man/named.8in
index 2d9e1b461d96ff5f10d46de6dc1b5814324a57f2..fa99f020c35c0f0b644604b5423fa997d7bcb53d 100644 (file)
--- a/doc/man/named.8in
+++ b/doc/man/named.8in
@@ -72,9 +72,9 @@ in a process listing. The contents of \fBstring\fP are not examined.
 When applicable, this option specifies the hardware to use for cryptographic
 operations, such as a secure key store used for signing.
 .sp
-When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a
-cryptographic accelerator or hardware service module. When BIND is
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
 built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
 defaults to the path of the PKCS#11 provider library specified via
 \fB\-\-with\-pkcs11\fP\&.