The one place for your designs
To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.
Add support for BIND with native pkcs11 support to retrieve HSM pin from an environment variable (instead of a file) [ISC-support #14233]
When integrating BIND with an HSM to manage private keys, along with automatic DNSSEC signature maintenance, a mechanism has to be put into place to handle the pin needed to access the private keys in the HSM device.
When building BIND with native pkcs#11 support, this can only be done by means of a pin file on disk.
When building BIND using instead patched OpenSSL to interface with the HSM, you can instead set an environment variable.
In production environments where the latter (environment variable containing the HSM pin) is preferred, it is not currently possible to deploy DNSSEC with native pkcs11 support for the HSM.
(This should be relatively easy to do?)