This document provides information about configuring the KMES Series 3 with BIND by using Futurex PKCS #11 libraries. For additional questions related to your KMES Series 3 see the KMES Series 3 user guide.Documentation Index
Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
Use this file to discover all available pages before exploring further.
About BIND
BIND is a software suite for interacting with the DNS . Its most prominent component, named, performs both primary DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver within the network. As of 2015, it is the most widely used domain name server software and is the de facto standard on Unix-like operating systems. Also contained in the suite are various administrative tools, such as nsupdate and dig, as well as a DNS resolver interface library.How the BIND integration works
The integration involves the following steps:- Zone data creation/update: User defines / updates DNS zone file
- Key reference request: BIND identifies required signing keys
- HSM login: BIND authenticates to KMES Series 3 via PKCS#11
- Signing key access: KMES Series 3 locates requested signing keys
- HSM signing operation: KMES Series 3 generates digital signatures using private keys
- Zone file update: Signed DNS records are added to zone data
- Zone publication: BIND loads and serves signed zone data
- Resolver validation: DNS resolvers verify signatures using DNSSEC public keys
PKCS #11 in BIND
The PKCS #11 support in BIND comes in two forms:- Native PKCS #11 - BIND interfaces directly with the KMES Series 3 provided library through the PKCS #11 API. This allows BIND to interact directly with the PKCS #11 provider for public key cryptography (DNSSEC).
- OpenSSL-based PKCS #11 - BIND uses an OpenSSL PKCS #11 provider (such as
pkcs11-providerfrom the Latchset project) to interact with KMES Series 3 indirectly.