MIME-Version: 1.0 In-Reply-To: <03637BE8BAAD41E05305FCC2@ogg.in.absolight.net> X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Disposition: inline X-RT-Interface: Web References: <03637BE8BAAD41E05305FCC2@ogg.in.absolight.net> Content-Type: text/plain; charset="utf-8" Message-ID: Content-Transfer-Encoding: binary X-RT-Original-Encoding: utf-8 RT-Send-CC: X-RT-Encrypt: 0 X-RT-Sign: 0 Content-Length: 1249 On Tue Aug 23 12:38:39 2016, mat@FreeBSD.org wrote: > Hi, > > Someone created a FreeBSD bug report[1] today. As I don't use the PKCS#11 > thingie myself, I only tested it briefly when it came around to make sure > it built and ran. > > I don't understand what it really is trying to achieve, so, I'm wondering > what you think about it, if it is a bug in BIND9, or a feature addition... > > 1: => it is a patch for the FreeBSD port system (1) but it includes a fix (2) fro Fedora 23 so you are right to signal this to us. (1) IMHO it is not a good idea to provide native PKCS#11 support in the standard package because it is exclusive of OpenSSL. Note if SoftHSMv2 is fine it was not designed to be very secure (it was designed to help development of code supporting real HSMs, including the native PKCS#11 support in bind9). So to replace bind9+OpenSSL by bind9+PKCS#11+SoftHSMv2 doesn't make sense in production. (2) I'll download the Fedora 23 sources to see if the patch solves a real/known/already-fixed issue. Note we merged a patch making the native PKCS#11 support more flexible into 9.10 and 9.11 last week so if you find something wrong please check against last versions.