+--On 23 août 2016 13:10:30 +0000 Francis Dupont via RT wrote: | On Tue Aug 23 12:38:39 2016, mat@FreeBSD.org wrote: |> Hi, |> |> Someone created a FreeBSD bug report[1] today. As I don't use the PKCS#11 |> thingie myself, I only tested it briefly when it came around to make sure |> it built and ran. |> |> I don't understand what it really is trying to achieve, so, I'm wondering |> what you think about it, if it is a bug in BIND9, or a feature |> addition... |> |> 1: | | => it is a patch for the FreeBSD port system (1) but it includes | a fix (2) fro Fedora 23 so you are right to signal this to us. | | (1) IMHO it is not a good idea to provide native PKCS#11 support | in the standard package because it is exclusive of OpenSSL. | Note if SoftHSMv2 is fine it was not designed to be very secure | (it was designed to help development of code supporting real HSMs, | including the native PKCS#11 support in bind9). So to replace | bind9+OpenSSL by bind9+PKCS#11+SoftHSMv2 doesn't make | sense in production. The native PKCS#11 support is provided as an option, and is not enabled by default, so it is not a problem, it is there so that people who need it can use it. | (2) I'll download the Fedora 23 sources to see if the patch solves | a real/known/already-fixed issue. Thanks, please let me know :-) | Note we merged a patch making the native PKCS#11 support more | flexible into 9.10 and 9.11 last week so if you find something wrong | please check against last versions. I'll have a look. -- Mathieu Arnold