# Where are /opt/bind9/... directories in FreeBSD



## HL1234 (Jul 26, 2021)

For some PKCS#11 configuration I found examples what to do, but nothing with FreeBSD as OS.
Like:
PKCS#11 in BIND 9 - Configuring OpenSSL to use engine_pkcs11
https://gitlab.isc.org/isc-projects...CS11#configuring-openssl-to-use-engine_pkcs11

But I do not now know, where the directory are in FreeBSD like

```
/opt/bind9/etc/
/opt/bind9/engines
/opt/bind9/lib/tokens   this is maybe that /var/lib/softhsm/tokens/
```
which are written in the description (see link),
What does he means with /opt/bind9/...? This looks like Linux.

In FreeBSD we get /usr/local/sbin/named and /usr/local/etc/namedb (not chrooted)

Have anyone such an example like above but with FreeBSD, and with installing all from the ports, and configuration examples for that?


----------



## Jose (Jul 26, 2021)

HL1234 said:


> What does he means with /opt/bind9/...? This looks like Linux.


I first ran into an /opt directory on Solaris, and it does seem that is still a thing on that os.

It' supposedly still a thing in Linux as well, but you have to understand that Linux is much too modern and dynamic to worry about things like compliance with a standard.

Edit: It is not a thing on Freebsd. Despite what that Wikipedia page says, the directory layout in Freebsd is described in the hier(7) man page.


----------



## Alain De Vos (Jul 26, 2021)

Maybe,

```
pkg info -l bind9
```


----------



## HL1234 (Jul 26, 2021)

Maybe my question was not good verbalized. I know the directory layout in FreeBSD.

What are the comparable directories for


> /opt/bind9/etc/
> /opt/bind9/engines
> /opt/bind9/lib/..


 on FreeBSD?


----------



## HL1234 (Jul 26, 2021)

Alain De Vos said:


> Maybe,
> 
> ```
> pkg info -l bind9
> ```


`pkg info -l bind916`
but this don't tell me what directory I should take for /opt/bind/...


----------



## PMc (Jul 26, 2021)

Sorry I didn't yet manage to look closely into DNSSEC, so cannot help with configs. I did integrate with Kerberos, and that was fun already...

Which openssl are you using? From base or from ports?
If from base, then your engines should be in /usr/lib/engines, because they're part of ssh, and ssh is part of base. /usr/local/etc/rc.d/named has this path configured and will copy them into chroot when chroot is used.
But then, you probably don't need this, because security/libp11 exists as a port. security/softhsm2 seems also to exist.

The other things should then be in /usr/local/etc/named  and /usr/local/lib/named, respectively. They seem to get declared via environment-variables and config files, so the actually used path is not so critical.

The real fun will start when you then try to chroot that beast... .


----------



## HL1234 (Jul 30, 2021)

PMc said:


> Which openssl are you using? From base or from ports?





PMc said:


> /usr/local/etc/rc.d/named has this path configured and will copy them into chroot when chroot is used.
> But then, you probably don't need this, because security/libp11 exists as a port. security/softhsm2 seems also to exist.
> 
> The other things should then be in /usr/local/etc/named  and /usr/local/lib/named, respectively. They seem to get declared via environment-variables and config files, so the actually used path is not so critical.


Sorry for the late reply.
I use openssl from the ports. In /usr/local/lib/engines I find


> lrwxr-xr-x  1 root wheel     9 Juli 24 21:05 libpkcs11.so -> pkcs11.so
> -rwxr-xr-x  1 root wheel 86120 Juli 24 21:05 pkcs11.so


Do I understand right, that you thing I should take /usr/local/etc/named for /opt/bind9/? And should I use /usr/local/etc/ for /opt/bind9/etc or also /usr/local/etc/named to copy openssl.conf openssl.cnf?


----------



## PMc (Jul 30, 2021)

HL1234 said:


> Sorry for the late reply.
> I use openssl from the ports. In /usr/local/lib/engines I find
> 
> Do I understand right, that you thing I should take /usr/local/etc/named for /opt/bind9/?


Not in full. An identical analogon to /opt/bind9/ itself doesn't exist here, because things are swapped: /opt/bind9/etc becomes /usr/local/etc/named, /opt/bind9/lib becomes /usr/local/lib/named, and so on.


HL1234 said:


> And should I use /usr/local/etc/ for /opt/bind9/etc or also /usr/local/etc/named to copy openssl.conf?


Careful. You can put openssl.conf at any place you want, as long as you put the chosen path into the other configs that shall use it. If the path is missing, the default instalallation openssl.conf is used. The default installation openssl.conf is /etc/ssl/openssl.conf  in my case (with ssl from base). In your case with ssl from ports, the default openssl.conf must be somewhere under /usr/local, probably either /usr/local/etc/openssl.conf or /usr/local/etc/ssl/openssl.conf. 
Figure that out, and then take care that you _do not mix these two_, the default openssl.conf that comes along with ssl-from-ports, and the one you are creating. Therefore I would put it into /usr/local/etc/named.conf (or even give it a different name).


----------



## HL1234 (Jul 30, 2021)

Thanks for reply.
First I changed the name: not .conf but .cnf - right: openssl.cnf
I found a lot openssl.cnf files on my system, like

```
/etc/ssl/openssl.cnf
/usr/local/etc/ssl/openssl.cnf
/usr/local/openssl/openssl.cnf
/usr/local/share/examples/dovecot/dovecot-openssl.cnf
/usr/src/crypto/openssl/apps/openssl.cnf
/var/db/etcupdate/current/etc/ssl/openssl.cnf
```
with

```
ll /usr/local/openssl/openssl.cnf
lrwxr-xr-x 1 root wheel 30 Juni 11  2019 /usr/local/openssl/openssl.cnf -> /usr/local/etc/ssl/openssl.cnf
```
I want not to move it - I will copy it and then change it.
Thanks for the advice for the directories.
In /usr/local/lib/named I find

```
-rw-r--r--  1 root wheel 22296 Juli 24 16:51 filter-aaaa.so
```
but I think this comes with the installation of BIND

In between I think I had misunderstood the option with comment:
 Choose which crypto engine to use: you can only select none or one of them
( ) NATIVE_PKCS11 Use PKCS#11 native API (**READ HELP**)
There was nothing selected, so I selected one of them. It is confusing when a radio button can be deselected.
If I can get the howto to work I will install bind without that PKCS#11 - and that should work. Now I have to set the -E "" parameter to named with the path to correct engine or it can not start. there is no way to disable that.


----------

