[Opendnssec-develop] How to replicate signer-stuck with SoftHSM

Rickard Bellgrim rickard at opendnssec.org
Mon May 13 06:26:35 UTC 2013

The Enforcer will never tell the Signer to use a key before it has been
created with C_GenerateKeyPair. Could it be that your HSM returns from this
function call before the key is available in the HSM (and synchronized
within the cluster)?

SoftHSM will only return from C_GenerateKeyPair when the key has been
created, so there is no lock in that respect.

// Rickard

On Thu, May 2, 2013 at 11:05 AM, Rick van Rein (OpenFortress) <
rick at openfortress.nl> wrote:

> Hello all,
> I've been trying to replicate our problems with the signer getting stuck
> (OPENDNSSEC-400).  It seems to occur fairly often (2 out of 4 multi-zone
> additions) after we removed <RequireBackup/> on our signer.
> I have tried to reproduce the problems with SoftHSM.  I even inserted a
> random delay of 1-5 seconds in C_GenerateKeyPair (patch attached) in the
> hope to lure the Signer into a race condition, like attempting to sign a
> zone before the keys have established, for instance due to reading the new
> zone list.  Much to my surprise, all keys are created before the Signer
> kicks into action.  This is quite different from what we see on our live
> platform with a real, replicated HSM.
> I am wondering if this could be caused by lack of concurrency support in
> SoftHSM, which could either cause different behaviour from the Enforcer?
>  Alternatively, I can imagine a global lock on the SoftHSM that blocks the
> Signer from jumping into action as early as it does with our fullblown HSM.
>  I tested on SoftHSM 1.2.1.
> Any suggestions are kindly welcomed; if I can replicate the race condition
> somehow, I'd imagine it'd be good input for the project.
> Cheers,
>  -Rick
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130513/9eabf69e/attachment.htm>

More information about the Opendnssec-develop mailing list