From 6cf86cc75b02beca41046bf55f4fefeec28c505d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 9 Sep 2021 22:13:36 +0200
Subject: [PATCH] Add deprecation notice about --enable-native-pkcs11 to
 configure.ac

The native PKCS#11 feature has been removed in BIND 9.18, so we need to
add a deprecation notice (warning at ./configure time) to the next 9.16
release.
---
 configure    | 13 +++++++++++++
 configure.ac | 13 +++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/configure b/configure
index b8c5b0fe6d..6c2c554dd7 100755
--- a/configure
+++ b/configure
@@ -26364,6 +26364,19 @@ report() {
     test "$CRYPTO" = "pkcs11" && (
 	echo "    Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
 	echo "    PKCS#11 module (--with-pkcs11): $with_pkcs11"
+	echo "    +--------------------------------------------+"
+	echo "    |             ==== WARNING ====              |"
+	echo "    |                                            |"
+	echo "    | The use of native PKCS#11 for Public-Key   |"
+	echo "    | Cryptography in BIND 9 has been deprecated |"
+	echo "    | in favor of OpenSSL engine_pkcs11 from the |"
+	echo "    | OpenSC project. The --with-native-pkcs11   |"
+	echo "    | configuration option will be removed from  |"
+	echo "    | the next major BIND 9 release. The option  |"
+	echo "    | to use the engine_pkcs11 OpenSSL engine is |"
+	echo "    | already available in BIND 9; please see    |"
+	echo "    | the ARM section on PKCS#11 for details.    |"
+	echo "    +--------------------------------------------+"
     )
 
     echo "    Dynamically loadable zone (DLZ) drivers:"
diff --git a/configure.ac b/configure.ac
index d654eb6bb9..a30f078a8a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2991,6 +2991,19 @@ report() {
     test "$CRYPTO" = "pkcs11" && (
 	echo "    Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
 	echo "    PKCS#11 module (--with-pkcs11): $with_pkcs11"
+	echo "    +--------------------------------------------+"
+	echo "    |             ==== WARNING ====              |"
+	echo "    |                                            |"
+	echo "    | The use of native PKCS#11 for Public-Key   |"
+	echo "    | Cryptography in BIND 9 has been deprecated |"
+	echo "    | in favor of OpenSSL engine_pkcs11 from the |"
+	echo "    | OpenSC project. The --with-native-pkcs11   |"
+	echo "    | configuration option will be removed from  |"
+	echo "    | the next major BIND 9 release. The option  |"
+	echo "    | to use the engine_pkcs11 OpenSSL engine is |"
+	echo "    | already available in BIND 9; please see    |"
+	echo "    | the ARM section on PKCS#11 for details.    |"
+	echo "    +--------------------------------------------+"
     )
 
     echo "    Dynamically loadable zone (DLZ) drivers:"