[Opendnssec-user] signer setup fails with more than 10 key repositories

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Jan 10 09:03:03 UTC 2011

On 7 jan 2011, at 14.32, Sion Lloyd wrote:

> libhsm.h contains the following line:
> #define HSM_MAX_SESSIONS 10
> Which probably goes some way to explaining it. I'm not sure that this can just 
> be raised though as:

Yes this sets the limit on the maximum number of sessions per context. Each context have one session with each HSM. 

> 1) I don't know why it is set to 10 in the first place

Neither do I.

> 2) There may be some assumptions that it is 10 in other places. (I know that 
> there shouldn't be, but I have not checked for it.)

I could not find any place that had this hard coded. We only add a session to a context in one place. This is where the HSM_MAX_SESSIONS is check. If that value is exceeded then we return 1. In the rest of the code, we use ctx->session_count as the maximum bound for the session array. This counter is increased each time a session is added.

I do not think there is a problem for us increasing the number of allowed sessions (number of HSM:s). But how many key repositories do you need?

Anyways, the libhsm will be rewritten for the v1.3 release. There we perhaps can have a look on a more dynamic approach of handling the sessions.

// Rickard

More information about the Opendnssec-user mailing list