Hi Laura,
not answering your question, but might you check out the configuration
option
https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#background-workers
and set it to 1 (one), in order to avoid signing processes for different
zones running in parallel ?
Libor
Dne 10. 08. 21 v 18:29 Laura Smith napsal(a):
I am working on a Knot deployment that uses Nitrokey
HSM[1] as a PKCS11 platform.
As you might imagine, for a small USB device, the Nitrokey is not exactly the most
performant HSM in the world.
My configuration works great with one or two test zones. But when I start ramping up the
number of zones, I start seeing weird problems with Knot (e.g. " blocked zone update
due to open control transaction" errors ... which don't seem to be errors because
my code debug shows the "zone-commit" being run, but it still leaves the Knot
database in a weird corrupt state where I cannot even "conf-unset" a domain even
if it is clearly existing in "conf-read").
Looking around the internet, it seems "OpenSC use_file_caching " might be the
answer[2]. Does Knot support this ?
[1]
https://www.nitrokey.com/files/doc/Nitrokey_HSM_factsheet.pdf
[
2]https://support.nitrokey.com/t/slow-initialization-of-nitrokey-hsm/2906/6