Skip to content

Fix PKCS#11-based EdDSA support

PKCS#11-based EdDSA support in BIND is currently non-functional.

  • Build-time detection for PKCS#11 EdDSA support relied on the --with-eddsa option for configure being used, but that option was removed in 45abf438.
  • There are still some leftovers from --with-eddsa removal (git grep with-eddsa).
  • Commit c3b8130f removed HAVE_PKCS11_{ED25519,ED448} AC_DEFINEs from configure.ac (the values set depended on the value of the also removed --with-eddsa switch), but those macros are still the only way to enable PKCS#11-based EdDSA support in BIND.
  • Setting HAVE_PKCS11_ED25519 manually at compilation time causes build errors in lib/dns/pkcs11eddsa_link.c.

When the problems outlined above are alleviated, the pkcs11 system test should start mentioning "ecx" in its output (currently it only mentions "rsa" and "ecc").

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information