[Opendnssec-develop] How to replicate signer-stuck with SoftHSM
Rickard Bellgrim
rickard at opendnssec.org
Mon May 13 08:37:22 UTC 2013
> A variation might be that PKCS #11 describes certain liberties that are
> revealed with a different key-creating and key-using command; I seem to
> recall, but haven't found back yet, that one process does not always get to
> see updates in another; and if the signer reads the entire zone list,
> including not-seen-before zones and only then reopens the HSM slot, things
> could go awry.
>
It could be the case the the signer finds the zone in the zone list, but it
will newer find the signconf unless the keys are generated.
> In general however, the fault pattern seems to be caused by reading the
> zone list when an unknown zone is updated by the Enforcer. The new zone
> list includes ones that have no keys assigned yet, which could lead to
> exceptional behaviour. The SoftHSM avoids this behaviour, probably due to
> a global lock that holds its access to the Enforcer until it is entirely
> done? Could you confirm that the SoftHSM lock is global?
>
The calling application won't get an object handle unless the key has been
generated. So there is no need for a lock like that.
The Signer Engine cannot pick a key at random, it needs to know exactly
which key to use. This is what the Enforcer tells the Signer Engine via the
signconf.
// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130513/88266b58/attachment.htm>
More information about the Opendnssec-develop
mailing list