<div dir="ltr">The Enforcer will never tell the Signer to use a key before it has been created with <span style="font-family:arial,sans-serif;font-size:13px">C_GenerateKeyPair. Could it be that your HSM returns from this function call before the key is available in the HSM (and synchronized within the cluster)?</span><div>
<font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">SoftHSM will only return from </font><span style="font-family:arial,sans-serif;font-size:13px">C_GenerateKeyPair</span><span style="font-family:arial,sans-serif"> when the key has been created, so there is no lock in that respect.</span></div>
<div><div class="gmail_extra"><br></div><div class="gmail_extra">// Rickard<br><br><div class="gmail_quote">On Thu, May 2, 2013 at 11:05 AM, Rick van Rein (OpenFortress) <span dir="ltr"><<a href="mailto:rick@openfortress.nl" target="_blank">rick@openfortress.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hello all,<br>
<br>
I've been trying to replicate our problems with the signer getting stuck (OPENDNSSEC-400). It seems to occur fairly often (2 out of 4 multi-zone additions) after we removed <RequireBackup/> on our signer.<br>
<br>
I have tried to reproduce the problems with SoftHSM. I even inserted a random delay of 1-5 seconds in C_GenerateKeyPair (patch attached) in the hope to lure the Signer into a race condition, like attempting to sign a zone before the keys have established, for instance due to reading the new zone list. Much to my surprise, all keys are created before the Signer kicks into action. This is quite different from what we see on our live platform with a real, replicated HSM.<br>
<br>
I am wondering if this could be caused by lack of concurrency support in SoftHSM, which could either cause different behaviour from the Enforcer? Alternatively, I can imagine a global lock on the SoftHSM that blocks the Signer from jumping into action as early as it does with our fullblown HSM. I tested on SoftHSM 1.2.1.<br>
<br>
Any suggestions are kindly welcomed; if I can replicate the race condition somehow, I'd imagine it'd be good input for the project.<br>
<br>
<br>
Cheers,<br>
-Rick<br>
<br>
<br>
<br><br>
<br>
<br>
<br>_______________________________________________<br>
Opendnssec-develop mailing list<br>
<a href="mailto:Opendnssec-develop@lists.opendnssec.org">Opendnssec-develop@lists.opendnssec.org</a><br>
<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop</a><br>
<br></blockquote></div><br></div></div></div>