Bug 1097752

Summary: [RFE] Support native PKCS#11 interface
Product: [Fedora] Fedora Reporter: Petr Spacek <pspacek>
Component: bindAssignee: Tomáš Hozza <thozza>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: psimerda, thozza, vonsch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-9.9.6-2.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1097753 (view as bug list) Environment:
Last Closed: 2014-11-01 17:17:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1110720    
Bug Blocks: 998522, 1097749    

Description Petr Spacek 2014-05-14 13:00:31 UTC 
Proper DNSSEC support in FreeIPA requires PKCS#11 interface in BIND.

BIND 9.10 introduced support for native PKCS#11 interface:
http://ftp.isc.org/isc/bind9/cur/9.10/RELEASE-NOTES-BIND-9.10.0-P1.txt

We can either rebase BIND or backport PKSCS#11 support from v9.10 to v9.9.
Comment 1 Tomáš Hozza 2014-09-25 15:18:19 UTC 
Testing packages (should be final) can be found here:
http://copr-fe.cloud.fedoraproject.org/coprs/thozza/bind-9.9.4-native-pkcs11/

Changes are for the time being here:
https://github.com/thozza/fedora20-bind-pkcs11-backport
Comment 2 Petr Spacek 2014-09-26 13:37:55 UTC 
Unfortunatelly this package doesn't contain dnssec-keyfromlabel utility so it is untestable.
Comment 3 Tomáš Hozza 2014-09-29 06:50:05 UTC 
Just for the record, the utility is available in bind-pkcs11-utils
Comment 4 Petr Spacek 2014-09-29 14:05:32 UTC 
I have tested the latest build and it works for me.
Comment 5 Tomáš Hozza 2014-10-06 11:40:13 UTC 
I'm still waiting for the SoftHSMv2 rebase. Without it the bind-pkcs11* sub-packages are useless!
Comment 6 Tomáš Hozza 2014-10-14 13:21:01 UTC 
Added in bind-9.9.6-2.fc22 and bind-9.9.6-2.fc21
Comment 7 Fedora Update System 2014-10-14 13:23:03 UTC 
bind-9.9.6-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/bind-9.9.6-2.fc21
Comment 8 Fedora Update System 2014-10-16 02:00:32 UTC 
Package bind-9.9.6-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing bind-9.9.6-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-12860/bind-9.9.6-2.fc21
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2014-11-01 17:17:02 UTC 
bind-9.9.6-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.