Skip to main content
This document provides information about configuring the KMES Series 3 with BIND by using Futurex PKCS #11 libraries. For additional questions related to your KMES Series 3 see the relevant user guide.

About BIND

BIND is a software suite for interacting with the DNS . Its most prominent component, named, performs both primary DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver within the network. As of 2015, it is the most widely used domain name server software and is the de facto standard on Unix-like operating systems. Also contained in the suite are various administrative tools, such as nsupdate and dig, as well as a DNS resolver interface library.

How the BIND integration works

The integration involves the following steps:
  1. **Zone data creation/update:**User defines / updates DNS zone file
  2. **Key reference request:**BIND identifies required signing keys
  3. **HSM login:**BIND authenticates to KMES Series 3 via PKCS#11
  4. **Signing key access:**KMES Series 3 locates requested signing keys
  5. **HSM signing operation:**KMES Series 3 generates digital signatures using private keys
  6. **Zone file update:**Signed DNS records are added to zone data
  7. Zone publication: BIND loads and serves signed zone data
  8. **Resolver validation:**DNS resolvers verify signatures using DNSSEC public keys

PKCS #11 in BIND

The PKCS #11 support in BIND comes in two forms:
  • Native PKCS #11 - BIND interfaces directly with the Vectera Plus provided library through the PKCS #11 API. This allows BIND to interact directly with the PKCS #11 provider for public key cryptography (DNSSEC).
  • OpenSSL-based PKCS #11 - BIND uses an OpenSSL PKCS #11 provider (such as pkcs11-provider from the Latchset project) to interact with Vectera Plus indirectly.
This integration guide uses the OpenSSL-based PKCS #11 methodbecause it is the only methodcompatible with Futurex’s KMES Series 3.