16 Srp
2021
16 Srp
'21
9:36
Thanks for the clarification Daniel, appreciate it.
If you (or anyone on list) has ideas for HSMs to buy that work well with parallel workers
but don't cost $$$$, I am open to suggestions. ;-)
Laura
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, August 16th, 2021 at 7:36 AM, Daniel Salzman <daniel.salzman(a)nic.cz>
wrote:
Hi Laura,
Knot DNS uses GnuTLS PKCS #11 API, which is based on p11-kit. So use_file_caching
isn't supported.
As Libor already wrote, setting background workers to 1 might help. Some HSMs don't
work well with parallel signing workers.
Best,
Daniel
On 8/10/21 6:29 PM, Laura Smith wrote:
I am working on a Knot deployment that uses
Nitrokey HSM[1] as a PKCS11 platform.
As you might imagine, for a small USB device, the Nitrokey is not exactly the most
performant HSM in the world.
My configuration works great with one or two test zones. But when I start ramping up the
number of zones, I start seeing weird problems with Knot (e.g. " blocked zone update
due to open control transaction" errors ... which don't seem to be errors because
my code debug shows the "zone-commit" being run, but it still leaves the Knot
database in a weird corrupt state where I cannot even "conf-unset" a domain even
if it is clearly existing in "conf-read").
Looking around the internet, it seems "OpenSC use_file_caching " might be the
answer[2]. Does Knot support this ?
[1] https://www.nitrokey.com/files/doc/Nitrokey_HSM_factsheet.pdf
[2]https://support.nitrokey.com/t/slow-initialization-of-nitrokey-hsm/2906/6
--
https://lists.nic.cz/mailman/listinfo/knot-dns-users