+--On 23 août 2016 14:31:45 +0000 Francis Dupont via RT
<bind9-bugs@isc.org> wrote:
| On Tue Aug 23 13:36:32 2016, mat@FreeBSD.org wrote:
|> | (1) IMHO it is not a good idea to provide native PKCS#11 support
|> | in the standard package...
|> 
|> The native PKCS#11 support is provided as an option, and is not enabled
|> by default, so it is not a problem, it is there so that people who need
|> it can use it.
| 
| => it will never work: PKCS#11 needs some parameters at configure
| time so is not a proper candidate for packaging. And the last
| improvements make this even worse (they introduce a dependency
| on the name of the PKCS#11 provider, i.e., the library from the HSM
| vendor which implements the PKCS#11 API).

Well, no, it can take a:

  --with-pkcs11=PATH      Build with PKCS11 support yes|no|path
                          (PATH is for the PKCS11 provider)

Which will be the default, but it is not mandatory, all commands can take a
"-E /where/engine" argument, which is the way the port goes.  I tested it
with softhsm way back when BIND9 9.10 came out, and it was working just
right :-)

|> | (2) I'll download the Fedora 23 sources to see if the patch solves
|> | a real/known/already-fixed issue.
|> 
|> Thanks, please let me know :-)
| 
| => see my previous answer.
| 
|> | Note we merged a patch making the native PKCS#11 support more
|> | flexible into 9.10 and 9.11 last week so if you find something wrong
|> | please check against last versions.
|> 
|> I'll have a look.
| 
| => read the new lib/isc/include/pk11/README.site to understand
| what the native PKCS#11 support implies...

-- 
Mathieu Arnold