aboutsummaryrefslogtreecommitdiffstats
path: root/dns/bind914/pkg-help
diff options
context:
space:
mode:
Diffstat (limited to 'dns/bind914/pkg-help')
-rw-r--r--dns/bind914/pkg-help38
1 files changed, 38 insertions, 0 deletions
diff --git a/dns/bind914/pkg-help b/dns/bind914/pkg-help
new file mode 100644
index 000000000000..c303766037cb
--- /dev/null
+++ b/dns/bind914/pkg-help
@@ -0,0 +1,38 @@
+ NATIVE_PKCS11
+When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
+engine specified by the named_pkcss11_engine variable in
+/etc/rc.conf for *all* crypto operations.
+
+This is primarily intended to be used in an authoritative
+case.
+
+If BIND is also operating as a validating resolver,
+NATIVE_PKCS11 should not be used, because the HSM will be
+used for all crypto, including DNSSEC validations, and the
+HSM is likely to be slower than the CPU for this purpose.
+Additionally, the HSM might not support all of the PKCS#11
+API functions needed for signature verification.
+
+
+ GOST
+If using a chrooted instance of BIND on FreeBSD 8.x and 9.x,
+the OpenSSL engines MUST be accessible from within the chroot.
+If BIND is chrooted in /var/named, this can be achieved by
+either copying content of /usr/local/lib/engines into
+/var/named/usr/local/lib/engines, or by creating that directory
+and adding this line to /etc/fstab:
+/usr/local/lib/engines /var/named/usr/local/lib/engines nullfs ro 0 0
+
+
+ START_LATE
+Most of the time, BIND needs to start early in the boot
+process. Enable this if BIND starts too early for you and
+you need it to start later.
+
+
+ TUNING_LARGE
+ https://kb.isc.org/article/AA-01314/0
+Tunes certain compiled-in constants and default settings to
+values better suited to large servers with 12/16GB+ of memory.
+This can improve performance on such servers, but will consume
+more memory and may degrade performance on smaller systems.