diff options
Diffstat (limited to 'dns/bind914/pkg-help')
-rw-r--r-- | dns/bind914/pkg-help | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/dns/bind914/pkg-help b/dns/bind914/pkg-help new file mode 100644 index 000000000000..c303766037cb --- /dev/null +++ b/dns/bind914/pkg-help @@ -0,0 +1,38 @@ + NATIVE_PKCS11 +When using the NATIVE_PKCS11 option, BIND will use the PKCS#11 +engine specified by the named_pkcss11_engine variable in +/etc/rc.conf for *all* crypto operations. + +This is primarily intended to be used in an authoritative +case. + +If BIND is also operating as a validating resolver, +NATIVE_PKCS11 should not be used, because the HSM will be +used for all crypto, including DNSSEC validations, and the +HSM is likely to be slower than the CPU for this purpose. +Additionally, the HSM might not support all of the PKCS#11 +API functions needed for signature verification. + + + GOST +If using a chrooted instance of BIND on FreeBSD 8.x and 9.x, +the OpenSSL engines MUST be accessible from within the chroot. +If BIND is chrooted in /var/named, this can be achieved by +either copying content of /usr/local/lib/engines into +/var/named/usr/local/lib/engines, or by creating that directory +and adding this line to /etc/fstab: +/usr/local/lib/engines /var/named/usr/local/lib/engines nullfs ro 0 0 + + + START_LATE +Most of the time, BIND needs to start early in the boot +process. Enable this if BIND starts too early for you and +you need it to start later. + + + TUNING_LARGE + https://kb.isc.org/article/AA-01314/0 +Tunes certain compiled-in constants and default settings to +values better suited to large servers with 12/16GB+ of memory. +This can improve performance on such servers, but will consume +more memory and may degrade performance on smaller systems. |