From: Evan Hunt Date: Fri, 28 Feb 2014 16:10:44 +0000 (-0800) Subject: [master] add text clarifying native-pkcs11 X-Git-Tag: v9.10.0b2~79 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=e94261f0bcfb42a33128f27809d7c36f32f703f5;p=thirdparty%2Fbind9.git [master] add text clarifying native-pkcs11 --- diff --git a/README b/README index 0439167395a..0fc13febb5b 100644 --- a/README +++ b/README @@ -120,9 +120,12 @@ BIND 9.10.0 allows BIND 9 cryptography functions to use the PKCS#11 API natively, so that BIND can drive a cryptographic hardware service module (HSM) directly instead of using a modified - OpenSSL as an intermediary. This has been tested with the - Thales nShield HSM and with SoftHSMv2 from the Open DNSSEC - project. + OpenSSL as an intermediary. (Note: This feature requires an + HSM to have a full implementation of the PKCS#11 API; many + current HSMs only have partial implementations. The new + "pkcs11-tokens" command can be used to check API completeness. + Native PKCS#11 is known to work with the Thales nShield HSM + and with SoftHSM version 2 from the Open DNSSEC project.) - The new "max-zone-ttl" option enforces maximum TTLs for zones. This can simplify the process of rolling DNSSEC keys by guaranteeing that cached signatures will have expired