mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-21 04:06:46 +00:00
ee84f127aa
https://kb.isc.org/article/AA-01314/0 Tunes certain compiled-in constants and default settings to values better suited to large servers with 12/16GB+ of memory. This can improve performance on such servers, but will consume more memory and may degrade performance on smaller systems. PR: 224859 Sponsored by: Absolight
39 lines
1.5 KiB
Plaintext
39 lines
1.5 KiB
Plaintext
NATIVE_PKCS11
|
|
When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
|
|
engine specified by the named_pkcss11_engine variable in
|
|
/etc/rc.conf for *all* crypto operations.
|
|
|
|
This is primarily intended to be used in an authoritative
|
|
case.
|
|
|
|
If BIND is also operating as a validating resolver,
|
|
NATIVE_PKCS11 should not be used, because the HSM will be
|
|
used for all crypto, including DNSSEC validations, and the
|
|
HSM is likely to be slower than the CPU for this purpose.
|
|
Additionally, the HSM might not support all of the PKCS#11
|
|
API functions needed for signature verification.
|
|
|
|
|
|
GOST
|
|
If using a chrooted instance of BIND on FreeBSD 8.x and 9.x,
|
|
the OpenSSL engines MUST be accessible from within the chroot.
|
|
If BIND is chrooted in /var/named, this can be achieved by
|
|
either copying content of /usr/local/lib/engines into
|
|
/var/named/usr/local/lib/engines, or by creating that directory
|
|
and adding this line to /etc/fstab:
|
|
/usr/local/lib/engines /var/named/usr/local/lib/engines nullfs ro 0 0
|
|
|
|
|
|
START_LATE
|
|
Most of the time, BIND needs to start early in the boot
|
|
process. Enable this if BIND starts too early for you and
|
|
you need it to start later.
|
|
|
|
|
|
TUNING_LARGE
|
|
https://kb.isc.org/article/AA-01314/0
|
|
Tunes certain compiled-in constants and default settings to
|
|
values better suited to large servers with 12/16GB+ of memory.
|
|
This can improve performance on such servers, but will consume
|
|
more memory and may degrade performance on smaller systems.
|