1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-28 05:29:48 +00:00
freebsd-ports/dns/bind9-devel/pkg-help
Mathieu Arnold ee84f127aa Add a TUNING_LARGE option.
https://kb.isc.org/article/AA-01314/0

Tunes certain compiled-in constants and default settings to
values better suited to large servers with 12/16GB+ of memory.
This can improve performance on such servers, but will consume
more memory and may degrade performance on smaller systems.

PR:		224859
Sponsored by:	Absolight
2018-01-12 12:58:51 +00:00

39 lines
1.5 KiB
Plaintext

NATIVE_PKCS11
When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
engine specified by the named_pkcss11_engine variable in
/etc/rc.conf for *all* crypto operations.
This is primarily intended to be used in an authoritative
case.
If BIND is also operating as a validating resolver,
NATIVE_PKCS11 should not be used, because the HSM will be
used for all crypto, including DNSSEC validations, and the
HSM is likely to be slower than the CPU for this purpose.
Additionally, the HSM might not support all of the PKCS#11
API functions needed for signature verification.
GOST
If using a chrooted instance of BIND on FreeBSD 8.x and 9.x,
the OpenSSL engines MUST be accessible from within the chroot.
If BIND is chrooted in /var/named, this can be achieved by
either copying content of /usr/local/lib/engines into
/var/named/usr/local/lib/engines, or by creating that directory
and adding this line to /etc/fstab:
/usr/local/lib/engines /var/named/usr/local/lib/engines nullfs ro 0 0
START_LATE
Most of the time, BIND needs to start early in the boot
process. Enable this if BIND starts too early for you and
you need it to start later.
TUNING_LARGE
https://kb.isc.org/article/AA-01314/0
Tunes certain compiled-in constants and default settings to
values better suited to large servers with 12/16GB+ of memory.
This can improve performance on such servers, but will consume
more memory and may degrade performance on smaller systems.