[Opendnssec-develop] How to replicate signer-stuck with SoftHSM
Rickard Bellgrim
rickard at opendnssec.org
Mon May 13 06:26:35 UTC 2013
The Enforcer will never tell the Signer to use a key before it has been
created with C_GenerateKeyPair. Could it be that your HSM returns from this
function call before the key is available in the HSM (and synchronized
within the cluster)?
SoftHSM will only return from C_GenerateKeyPair when the key has been
created, so there is no lock in that respect.
// Rickard
On Thu, May 2, 2013 at 11:05 AM, Rick van Rein (OpenFortress) <
rick at openfortress.nl> wrote:
> Hello all,
>
> I've been trying to replicate our problems with the signer getting stuck
> (OPENDNSSEC-400). It seems to occur fairly often (2 out of 4 multi-zone
> additions) after we removed <RequireBackup/> on our signer.
>
> I have tried to reproduce the problems with SoftHSM. I even inserted a
> random delay of 1-5 seconds in C_GenerateKeyPair (patch attached) in the
> hope to lure the Signer into a race condition, like attempting to sign a
> zone before the keys have established, for instance due to reading the new
> zone list. Much to my surprise, all keys are created before the Signer
> kicks into action. This is quite different from what we see on our live
> platform with a real, replicated HSM.
>
> I am wondering if this could be caused by lack of concurrency support in
> SoftHSM, which could either cause different behaviour from the Enforcer?
> Alternatively, I can imagine a global lock on the SoftHSM that blocks the
> Signer from jumping into action as early as it does with our fullblown HSM.
> I tested on SoftHSM 1.2.1.
>
> Any suggestions are kindly welcomed; if I can replicate the race condition
> somehow, I'd imagine it'd be good input for the project.
>
>
> Cheers,
> -Rick
>
>
>
>
>
>
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130513/9eabf69e/attachment.htm>
More information about the Opendnssec-develop
mailing list