planned bind-pkcs11 changes in F20+

Tomas Hozza thozza at redhat.com
Thu Sep 25 15:27:41 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/25/2014 05:18 PM, Paul Wouters wrote:
> On Thu, 25 Sep 2014, Tomas Hozza wrote:
>
> > I would like to inform everyone about changes I plan to do
> > in Fedora 20+ due to Bug 1097752 (Support for native PKCS#11
> > interface - needed by FreeIPA).
> >
> > Currently there is a bind-pkcs11 package which includes
> > couple of utilities needed for working with PKCS#11.
> >
> > - From the user feedback I got during the past year or so, utilities
> > from PKCS#11 didn't work much. I backported the native
> > PKCS#11 functionality from Bind 9.10 and plan to add/change
> > the following sub-packages:
>
> Sounds good to me. The only people this would affect are those running
> bind with an hsm, and we'd hope they would be on rhel/centos to begin
> with. But even if this moves gradually into there, it looks good.

Good to hear that. I think Fedora is a great place for people wanting
to try it out. I don't expect someone to run it in production enterprise
environment on Fedora.

> I was hoping bind 9.10+ would be able to do runtime pkcs#11 hsm stuff :/
> without the need for hacking and recompiling.

Yeah, I was hoping for the same thing. Unfortunately it is not possible
even with BIND 9.10 (which will be in F22). Upstream is opened to patches,
but don't have time and interest to do it themselves.

- From my point of view the ideal situation would be if BIND could fall back
to using OpenSSL if there is no HSM configured (or working). Well, I might
look into it in the future, but it is a low priority item for me, too.

Unfortunately this adds "yet another" compiled version of named (there
is already named-sdb). However the positive thing is that this way it
will not change anything for current named users.

Thanks for your opinion.

Regards,
- -- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUJDRtAAoJEMWIetUdnzwtU/YIAMwMqdz7p2SUVvDXl46TfAb8
W+kyKxdyYLCyM5Am85bEN70FkLiMMaP1Y1VsGh3IpQr/j67/mX39iZSp8qyMsig0
Z0ooCV1TyupqnYzBzQoHjJE7zMHz/50MNhEkrrBHwel1iXa0As6H2Wiexn/enqQe
CkzMnR9fvVNs2kY/htx40MSqSXELegQk0W90XhrvXG7QUx4kcraPAAhJwRjkNezp
rrad1Xb19WUDkv2/990bppnkja6lN1I9efKyLDO7jIQ5JVYc4pNK4C6769uP95RO
K1WaIEh089XwmVa0JkdiGNRQTId1OtqsSNiKIodsMoBYeoukl85cMi3ldYYoYqk=
=N1i5
-----END PGP SIGNATURE-----

More information about the devel mailing list