[Opendnssec-user] Questions about ODS and SoftHSM

Berry A.W. van Halderen berry at nlnetlabs.nl
Thu Jun 18 07:36:09 UTC 2015 

On 06/17/2015 04:24 PM, Jake Zack wrote:
> Assuming 2048 KSK, 1024 ZSK…
> Would SoftHSM function properly with KSK+ZSK+rollover for 100,000
> domains concurrently?  Can it manage a few hundred thousand keys?
> Is anyone using SoftHSM for doing mass-signing of tons of zones – all
> using separate keys?

That would depend also heavily on the frequency you want your signatures
and keys to be refreshes.  Some time before a signature expires the RR
needs to be resigned, this timing is configurable.  And it also would
depend on the actual size of the zone, and of course on your hardware.
A moderate CPU would be able to a good 1000 signatures per second.  It
will scale per CPU (even with hyperthreading).

There is however a part of OpenDNSSEC that does not scale well yet (with
version 1.4) with a large about of zones.  The enforcer of that version
would need about an hour to go over the 100.000 zones each time
a key rollover step needs to take place.  To refresh the signatures this
is not a problem.  So again it depends on how often you need to roll
your keys.

A large number of zones is one of the limitations being addressed in
version 2.x which is in the making.

Note that I'm talking about distinct zones, not about a zone that
contains 100.000 entries, that's a different matter.  100.000 entries is
proven, although it takes a bit of memory.

> How does OpenDNSSEC handle being sent a sign command for several zones
> at once?

You can set the number of threads that can concurrently do work.  There
are two settings, one where you can specify the number of threads that
do work on separate zone files, but there is also a setting where
multiple threads can do work

> Is there a maximum number of keys that SoftHSM can store?

Not really, there's probably some unreasonable high limit.  The MySQL
interface will probably scale better than the SQLlite backend.

> Any limitations in the PKCS library that’d break the mass signing of
> tons of zones?

If you go on signing 100000 zones at the same time, that isn't useful.
On a 4 core CPU with hyperthreading you'd do a maximum of 9 zones at the
same time to get maximum performance.  With more, performance will
quickly degrate and grind to a halt.

> If someone else is doing this…I assume they have more than one signing
> machine with the kaspdb being replicated between signers…is there a
> graceful way of doing this?

That will probably not work right now.

> What about file locking under kaspdb?  I’ve noticed even with signing
> one zone with physical HSM (.CA), I’ll occasionally get back a file lock
> when either monitoring and/or enforcerd is in the middle of something…if
> SoftHSM were sent a few hundred key creations at once for new customers
> being on-boarded, would that cause locking issues for signing that’d be
> ongoing at the same time?

There should be (actually must, it will lock it) one enforcer working on
the kaspdb.

With kind regards,
Berry van Halderen
(OpenDNSSEC dev)

More information about the Opendnssec-user mailing list