From a9828dd17004dab24e228edd8fbe4d286ffd42ee Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 18 Jan 2021 08:57:52 +0100 Subject: [PATCH] Update documentation on -E option The -E option does not default to pkcs11 if --with-pkcs11 is set, but always needs to be set explicitly. --- bin/dnssec/dnssec-keyfromlabel.rst | 6 +++--- bin/dnssec/dnssec-keygen.rst | 6 +++--- bin/dnssec/dnssec-revoke.rst | 6 +++--- bin/dnssec/dnssec-settime.rst | 6 +++--- bin/dnssec/dnssec-signzone.rst | 6 +++--- bin/dnssec/dnssec-verify.rst | 6 +++--- bin/named/named.rst | 6 +++--- doc/man/dnssec-keyfromlabel.1in | 6 +++--- doc/man/dnssec-keygen.1in | 6 +++--- doc/man/dnssec-revoke.1in | 6 +++--- doc/man/dnssec-settime.1in | 6 +++--- doc/man/dnssec-signzone.1in | 6 +++--- doc/man/dnssec-verify.1in | 6 +++--- doc/man/named.8in | 6 +++--- 14 files changed, 42 insertions(+), 42 deletions(-) diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index a43bc16089..86f03750ae 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -76,9 +76,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use. - When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 650975ac98..31c7b5ae51 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -103,9 +103,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use, when applicable. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-revoke.rst b/bin/dnssec/dnssec-revoke.rst index ab8175ad3d..31da670cc2 100644 --- a/bin/dnssec/dnssec-revoke.rst +++ b/bin/dnssec/dnssec-revoke.rst @@ -59,9 +59,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use, when applicable. - When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst index b631d9ae17..731e35ff8b 100644 --- a/bin/dnssec/dnssec-settime.rst +++ b/bin/dnssec/dnssec-settime.rst @@ -102,9 +102,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use, when applicable. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index 3eef88d93b..a43d76954a 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -69,9 +69,9 @@ Options This option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing, when applicable. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/dnssec/dnssec-verify.rst b/bin/dnssec/dnssec-verify.rst index f6d7e280a7..7f2ba531bb 100644 --- a/bin/dnssec/dnssec-verify.rst +++ b/bin/dnssec/dnssec-verify.rst @@ -47,9 +47,9 @@ Options ``-E engine`` This option specifies the cryptographic hardware to use, when applicable. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/bin/named/named.rst b/bin/named/named.rst index 4b5c032964..9b039cdbf0 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst @@ -72,9 +72,9 @@ Options When applicable, this option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing. - When BIND is built with OpenSSL PKCS#11 support, this defaults to the - string ``pkcs11``, which identifies an OpenSSL engine that can drive a - cryptographic accelerator or hardware service module. When BIND is + When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL + engine identifier that drives the cryptographic accelerator or + hardware service module (usually ``pkcs11``). When BIND is built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it defaults to the path of the PKCS#11 provider library specified via ``--with-pkcs11``. diff --git a/doc/man/dnssec-keyfromlabel.1in b/doc/man/dnssec-keyfromlabel.1in index 4816a522a9..56d5dc19ef 100644 --- a/doc/man/dnssec-keyfromlabel.1in +++ b/doc/man/dnssec-keyfromlabel.1in @@ -76,9 +76,9 @@ versions, then the NSEC3 version is used; for example, .B \fB\-E engine\fP This option specifies the cryptographic hardware to use. .sp -When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-keygen.1in b/doc/man/dnssec-keygen.1in index 4a1b272840..057ff3d37f 100644 --- a/doc/man/dnssec-keygen.1in +++ b/doc/man/dnssec-keygen.1in @@ -103,9 +103,9 @@ ECDSAP384SHA384, ED25519, and ED448. .B \fB\-E engine\fP This option specifies the cryptographic hardware to use, when applicable. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-revoke.1in b/doc/man/dnssec-revoke.1in index 76691d4c2c..11c65032e5 100644 --- a/doc/man/dnssec-revoke.1in +++ b/doc/man/dnssec-revoke.1in @@ -59,9 +59,9 @@ This option prints version information. .B \fB\-E engine\fP This option specifies the cryptographic hardware to use, when applicable. .sp -When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-settime.1in b/doc/man/dnssec-settime.1in index 753a5c205c..32ae197b54 100644 --- a/doc/man/dnssec-settime.1in +++ b/doc/man/dnssec-settime.1in @@ -102,9 +102,9 @@ This option sets the debugging level. .B \fB\-E engine\fP This option specifies the cryptographic hardware to use, when applicable. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-signzone.1in b/doc/man/dnssec-signzone.1in index 6f520029b9..e999d2d1fc 100644 --- a/doc/man/dnssec-signzone.1in +++ b/doc/man/dnssec-signzone.1in @@ -69,9 +69,9 @@ The resulting file can be included in the original zone file with This option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing, when applicable. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/dnssec-verify.1in b/doc/man/dnssec-verify.1in index 8539d530b0..8d61ef690b 100644 --- a/doc/man/dnssec-verify.1in +++ b/doc/man/dnssec-verify.1in @@ -47,9 +47,9 @@ This option specifies the DNS class of the zone. .B \fB\-E engine\fP This option specifies the cryptographic hardware to use, when applicable. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&. diff --git a/doc/man/named.8in b/doc/man/named.8in index 1c9ad8a233..db3ddd4176 100644 --- a/doc/man/named.8in +++ b/doc/man/named.8in @@ -72,9 +72,9 @@ in a process listing. The contents of \fBstring\fP are not examined. When applicable, this option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing. .sp -When BIND is built with OpenSSL PKCS#11 support, this defaults to the -string \fBpkcs11\fP, which identifies an OpenSSL engine that can drive a -cryptographic accelerator or hardware service module. When BIND is +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it defaults to the path of the PKCS#11 provider library specified via \fB\-\-with\-pkcs11\fP\&.