DNS
BIND
4 min
this document provides information about configuring {{ch}} with bind by using {{futurex}} pkcs #11 libraries for additional information about {{ch}} , see the {{ch}} administrator guide about bind bind is a software suite for interacting with the {{dns}} its most prominent component, {{named}} , performs both primary dns server roles, acting as an authoritative name server for dns zones and as a recursive resolver within the network as of 2015, it is the most widely used domain name server software and is the de facto standard on unix like operating systems also contained in the suite are various administrative tools, such as nsupdate and dig , as well as a dns resolver interface library how the bind integration works the integration involves the following steps zone data creation/update user defines / updates dns zone file key reference request bind identifies required signing keys hsm login bind authenticates to {{ch}} by using pkcs#11 signing key access {{ch}} locates requested signing keys hsm signing operation {{ch}} generates digital signatures using private keys zone file update signed dns records are added to the zone data zone publication bind loads and serves signed zone data resolver validation dns resolvers verify signatures using dnssec public keys pkcs #11 in bind the pkcs #11 support in bind comes in two forms native pkcs #11 bind interfaces directly with the {{vectera}} provided library through the pkcs #11 api this allows bind to interact directly with the pkcs #11 provider for public key cryptography (dnssec) openssl based pkcs #11 bind uses an openssl pkcs #11 provider (such as pkcs11 provider from the latchset project) to interact with {{vectera}} indirectly this integration guide uses the openssl based pkcs #11 method because it is the only method compatible with {{ch}} what is {{ch}} ? {{ch}} is the most flexible and versatile cryptographic platform in the industry it combines every cryptographic function within our extensive solution suite you can operate {{ch}} within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases benefits of {{ch}} integration through pkcs #11 integrating with {{ch}} provides the following benefits secure key storage integration with {{ch}} ensures that a hardware device securely stores cryptographic keys used for dnssec away from the vulnerabilities of software based storage enhanced performance we engineer our hsms to handle cryptographic operations efficiently, thus aiding in quicker dns query responses and dnssec signings regulatory compliance the secure storage and management of cryptographic keys through {{ch}} help meet compliance standards like gdpr, hipaa, or other country specific regulations redundancy and reliability {{ch}} has built in failover and backup capabilities, ensuring uninterrupted dns service centralized key management {{ch}} provides a centralized solution for cryptographic key management, easing administrative burdens and enhancing security oversight