[Opendnssec-develop] How to replicate signer-stuck with SoftHSM

Rick van Rein (OpenFortress) rick at openfortress.nl
Thu May 2 09:05:04 UTC 2013

Hello all,

I've been trying to replicate our problems with the signer getting stuck (OPENDNSSEC-400).  It seems to occur fairly often (2 out of 4 multi-zone additions) after we removed <RequireBackup/> on our signer.

I have tried to reproduce the problems with SoftHSM.  I even inserted a random delay of 1-5 seconds in C_GenerateKeyPair (patch attached) in the hope to lure the Signer into a race condition, like attempting to sign a zone before the keys have established, for instance due to reading the new zone list.  Much to my surprise, all keys are created before the Signer kicks into action.  This is quite different from what we see on our live platform with a real, replicated HSM.

I am wondering if this could be caused by lack of concurrency support in SoftHSM, which could either cause different behaviour from the Enforcer?  Alternatively, I can imagine a global lock on the SoftHSM that blocks the Signer from jumping into action as early as it does with our fullblown HSM.  I tested on SoftHSM 1.2.1.

Any suggestions are kindly welcomed; if I can replicate the race condition somehow, I'd imagine it'd be good input for the project.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: softhsm-1.2.1-slowkeygen.patch
Type: application/octet-stream
Size: 885 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130502/0ad0dc0d/attachment.obj>
-------------- next part --------------

More information about the Opendnssec-develop mailing list