About BIND
BIND is a software suite for interacting with the DNS. Its most prominent component, named (the name daemon on Linux), performs both primary DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver within the network. As of 2015, it is the most widely used domain name server software and is the de facto standard on Unix-like operating systems. Also contained in the suite are various administrative tools, such as nsupdate and dig, as well as a DNS resolver interface library.How the BIND integration works
The integration involves the following steps:- Zone data creation or update: User defines or updates DNS zone file.
- Key reference request: BIND identifies required signing keys.
- HSM login: BIND authenticates to the Vectera Plus by using PKCS#11.
- Signing key access: Vectera Plus locates the requested signing keys.
- Signing operation: Vectera Plus generates digital signatures by using private keys.
- Zone file update: Signed DNS records are added to the zone data.
- Zone publication: BIND loads and serves the signed zone.
- Resolver validation: DNS resolvers verify signatures by using Domain Name Security System Extensions (DNSSEC) public keys.
PKCS #11 in BIND
The PKCS #11 support in BIND comes in two forms:- Native PKCS #11: BIND interfaces directly with the Vectera Plus provided library through the PKCS #11 API. This allows BIND to interact directly with the PKCS #11 provider for public key cryptography (DNSSEC).
- OpenSSL-based PKCS #11: BIND uses an OpenSSL PKCS #11 provider (such as
pkcs11-providerfrom the Latchset project) to interact with Vectera Plus indirectly.
Guardian integration
The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:- Centralization of device management
- Elimination of points of failure
- Distribution of transaction loads
- Group-specific function blocking
- User-defined grouping systems