freebsd-ports/dns/bind910/pkg-help

                       NATIVE_PKCS11
When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
engine specified by the named_pkcss11_engine variable in
/etc/rc.conf for *all* crypto operations.

This is primarily intended to be used in an authoritative
case.

If BIND is also operating as a validating resolver,
NATIVE_PKCS11 should not be used, because the HSM will be
used for all crypto, including DNSSEC validations, and the
HSM is likely to be slower than the CPU for this purpose.
Additionally, the HSM might not support all of the PKCS#11
API functions needed for signature verification.


                         START_LATE
Most of the time, BIND needs to start early in the boot
process.  Enable this if BIND starts too early for you and
you need it to start later.
Allow BIND 9.10 users to select the old key format when using GOST.[1] While there, reword the options a bit, and the pkg-help files. PR: 200031 [1] Submitted by: Leo Vandewoestijne [1] Sponsored by: Absolight 2015-05-18 11:41:41 +00:00			`NATIVE_PKCS11`
Introduce BIND 9.10.0rc1 BIND 9.10 includes a number of changes from earlier releases, including: - DNS Response-rate limiting (DNS RRL) - A new "prefetch" option can improve recursive resolver performance - ACLs can now be specified based on geographic location using the MaxMind GeoIP databases. - A new compile-time option, NATIVE_PKCS11 allows the BIND 9 cryptography functions to use the PKCS#11 API natively. NOTE This is a release candidate, it may contain bugs. NOTE Changes: https://lists.isc.org/pipermail/bind-announce/2014-April/000906.html Sponsored by: Absolight 2014-04-10 16:01:27 +00:00			`When using the NATIVE_PKCS11 option, BIND will use the PKCS#11`
			`engine specified by the named_pkcss11_engine variable in`
			`/etc/rc.conf for all crypto operations.`

			`This is primarily intended to be used in an authoritative`
			`case.`

Allow BIND 9.10 users to select the old key format when using GOST.[1] While there, reword the options a bit, and the pkg-help files. PR: 200031 [1] Submitted by: Leo Vandewoestijne [1] Sponsored by: Absolight 2015-05-18 11:41:41 +00:00			`If BIND is also operating as a validating resolver,`
Introduce BIND 9.10.0rc1 BIND 9.10 includes a number of changes from earlier releases, including: - DNS Response-rate limiting (DNS RRL) - A new "prefetch" option can improve recursive resolver performance - ACLs can now be specified based on geographic location using the MaxMind GeoIP databases. - A new compile-time option, NATIVE_PKCS11 allows the BIND 9 cryptography functions to use the PKCS#11 API natively. NOTE This is a release candidate, it may contain bugs. NOTE Changes: https://lists.isc.org/pipermail/bind-announce/2014-April/000906.html Sponsored by: Absolight 2014-04-10 16:01:27 +00:00			`NATIVE_PKCS11 should not be used, because the HSM will be`
Allow BIND 9.10 users to select the old key format when using GOST.[1] While there, reword the options a bit, and the pkg-help files. PR: 200031 [1] Submitted by: Leo Vandewoestijne [1] Sponsored by: Absolight 2015-05-18 11:41:41 +00:00			`used for all crypto, including DNSSEC validations, and the`
			`HSM is likely to be slower than the CPU for this purpose.`
			`Additionally, the HSM might not support all of the PKCS#11`
			`API functions needed for signature verification.`
Fix build with GOST (on 10, base OpenSSL doesn't have it) Make sure OpenSSL from ports is used < 10. Sponsored by: Absolight 2014-05-17 21:30:24 +00:00

Make BIND start a bit later (and really after ldconfig.) [1] Add an option to have it start way later. PR: 200375 [1] Sponsored by: Absolight 2015-06-01 10:13:58 +00:00			`START_LATE`
			`Most of the time, BIND needs to start early in the boot`
			`process. Enable this if BIND starts too early for you and`
			`you need it to start later.`