[Opendnssec-user] Questions about ODS and SoftHSM

Sebastian Castro sebastian at nzrs.net.nz
Wed Jun 17 21:13:22 UTC 2015 


On 18/06/15 2:24 am, Jake Zack wrote:
> Assuming 2048 KSK, 1024 ZSK…
> 

Patrik Wallstrom did a blog post about signing 50k zones with OpenDNSSEC
back in 2011

https://www.opendnssec.org/2011/02/17/running-opendnssec-with-50000-zones/

It's a good starting read.

Without being an OpenDNSSEC developer, but having used ODS extensively,
I could tell...

>  
> 
> Would SoftHSM function properly with KSK+ZSK+rollover for 100,000
> domains concurrently?  Can it manage a few hundred thousand keys?
> 

The backend for SoftHSM is a SQLite database. Access is exclusive, so if
you have hundreds of processes trying to access it, it will cause
deadlock and serious lag.

My understanding is there is no limit in the number of keys.

>  
> 
> Is anyone using SoftHSM for doing mass-signing of tons of zones – all
> using separate keys?
> 
>  
> 
> How does OpenDNSSEC handle being sent a sign command for several zones
> at once?
> 

Depending on the version, it's likely it will choke.

>  
> 
> Is there a maximum number of keys that SoftHSM can store?
> 
>  
> 
> Any limitations in the PKCS library that’d break the mass signing of
> tons of zones?
> 
>  
> 
> If someone else is doing this…I assume they have more than one signing
> machine with the kaspdb being replicated between signers…is there a
> graceful way of doing this?
> 

I've heard of some people signing thousands of zones (registrars) that
use the MySQL backend for the KASP, and that scales.

>  
> 
> What about file locking under kaspdb?  I’ve noticed even with signing
> one zone with physical HSM (.CA), I’ll occasionally get back a file lock
> when either monitoring and/or enforcerd is in the middle of something…if
> SoftHSM were sent a few hundred key creations at once for new customers
> being on-boarded, would that cause locking issues for signing that’d be
> ongoing at the same time?
> 

As above. Both SoftHSM and KASPdb are by default SQLite database, not
designed for concurrent access.

>  
> 
> If anyone out there has any other advice or ‘gotchas’ for someone
> looking to do a wide scale ODS/SoftHSM deployment for a large number of
> domains, I’d love any advice/feedback I could get.
> 

I hope it helps

Cheers!

>  
> 
> Thanks all,
> 
>  
> 
> -Jacob Zack
> 
> Sr. DNS Administrator – CIRA (.CA TLD)
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-- 
Sebastian Castro
Technical Research Manager
NZRS Ltd.
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list