[Opendnssec-user] signer setup fails with more than 10 key repositories

Simon Mittelberger simon.mittelberger at united-domains.de
Mon Jan 10 09:50:08 UTC 2011

Am Montag, den 10.01.2011, 10:03 +0100 schrieb Rickard Bellgrim: 
> I do not think there is a problem for us increasing the number of allowed sessions (number of HSM:s). But how many key repositories do you need?

We have currently 500 to 1000 zones in our testbed and key lifetimes are
defined very short, so that rollovers of zsk and ksk happen at least
every minute. The keys are not shared between zones, which results in
approximately 3000 keys.

However, we noticed that the performance of SoftHSM is decreasing, when
the number of handled keys rises.

Our approach is to have a lot of policies, each with its own SoftHSM
repository, so that zones are spreaded over a lot of policies/SoftHSMs.
This setup is performing very well at the moment.

We increased the constant HSM_MAX_SESSIONS to 100 and run a test over
the weekend with 20 policies/repositories. It worked without errors.

We think, that if we increase the number of repositories we should also
be able to increase the number of handled zones to a much larger number.

However, we are aware of the fact that this work around will reach its
limit at a certain point, because of other parts of OpenDNSSEC.

Therefore we are very excited about the next versions of OpenDNSSEC!

All the best,

More information about the Opendnssec-user mailing list