[Opendnssec-user] signer setup fails with more than 10 key repositories
Rickard Bellgrim
rickard.bellgrim at iis.se
Mon Jan 10 09:03:03 UTC 2011
On 7 jan 2011, at 14.32, Sion Lloyd wrote:
> libhsm.h contains the following line:
>
> #define HSM_MAX_SESSIONS 10
>
> Which probably goes some way to explaining it. I'm not sure that this can just
> be raised though as:
Yes this sets the limit on the maximum number of sessions per context. Each context have one session with each HSM.
> 1) I don't know why it is set to 10 in the first place
Neither do I.
> 2) There may be some assumptions that it is 10 in other places. (I know that
> there shouldn't be, but I have not checked for it.)
I could not find any place that had this hard coded. We only add a session to a context in one place. This is where the HSM_MAX_SESSIONS is check. If that value is exceeded then we return 1. In the rest of the code, we use ctx->session_count as the maximum bound for the session array. This counter is increased each time a session is added.
I do not think there is a problem for us increasing the number of allowed sessions (number of HSM:s). But how many key repositories do you need?
Anyways, the libhsm will be rewritten for the v1.3 release. There we perhaps can have a look on a more dynamic approach of handling the sessions.
// Rickard
More information about the Opendnssec-user
mailing list