Re: [knot-dns-users] Knot and OpenSC "use_file_caching" - possible ?

Thanks for the clarification Daniel, appreciate it. If you (or anyone on list) has ideas for HSMs to buy that work well with parallel workers but don't cost $$$$, I am open to suggestions. ;-) Laura ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, August 16th, 2021 at 7:36 AM, Daniel Salzman <daniel.salzman(a)nic.cz> wrote: > Hi Laura, > > Knot DNS uses GnuTLS PKCS #11 API, which is based on p11-kit. So use_file_caching isn't supported. > > As Libor already wrote, setting background workers to 1 might help. Some HSMs don't work well with parallel signing workers. > > Best, > > Daniel > > On 8/10/21 6:29 PM, Laura Smith wrote: > >> I am working on a Knot deployment that uses Nitrokey HSM[1] as a PKCS11 platform. >> >> As you might imagine, for a small USB device, the Nitrokey is not exactly the most performant HSM in the world. >> >> My configuration works great with one or two test zones. But when I start ramping up the number of zones, I start seeing weird problems with Knot (e.g. " blocked zone update due to open control transaction" errors ... which don't seem to be errors because my code debug shows the "zone-commit" being run, but it still leaves the Knot database in a weird corrupt state where I cannot even "conf-unset" a domain even if it is clearly existing in "conf-read"). >> >> Looking around the internet, it seems "OpenSC use_file_caching " might be the answer[2]. Does Knot support this ? >> >> [1] https://www.nitrokey.com/files/doc/Nitrokey_HSM_factsheet.pdf >> >> [2]https://support.nitrokey.com/t/slow-initialization-of-nitrokey-hsm/2906/6 > > -- > > https://lists.nic.cz/mailman/listinfo/knot-dns-users