Hi Laura, not answering your question, but might you check out the configuration option https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#background-workers and set it to 1 (one), in order to avoid signing processes for different zones running in parallel ? Libor Dne 10. 08. 21 v 18:29 Laura Smith napsal(a): > I am working on a Knot deployment that uses Nitrokey HSM[1] as a PKCS11 platform. > > As you might imagine, for a small USB device, the Nitrokey is not exactly the most performant HSM in the world. > > My configuration works great with one or two test zones. But when I start ramping up the number of zones, I start seeing weird problems with Knot (e.g. " blocked zone update due to open control transaction" errors ... which don't seem to be errors because my code debug shows the "zone-commit" being run, but it still leaves the Knot database in a weird corrupt state where I cannot even "conf-unset" a domain even if it is clearly existing in "conf-read"). > > Looking around the internet, it seems "OpenSC use_file_caching " might be the answer[2]. Does Knot support this ? > > [1] https://www.nitrokey.com/files/doc/Nitrokey_HSM_factsheet.pdf > > [2]https://support.nitrokey.com/t/slow-initialization-of-nitrokey-hsm/2906/6

Hi Laura, Knot DNS uses GnuTLS PKCS #11 API, which is based on p11-kit. So use_file_caching isn't supported. As Libor already wrote, setting background workers to 1 might help. Some HSMs don't work well with parallel signing workers. Best, Daniel On 8/10/21 6:29 PM, Laura Smith wrote: -- https://lists.nic.cz/mailman/listinfo/knot-dns-users

Laura, I have to say that even some (all?) expensive HSMs don't work effectively with more threads as the operations are serialized in the device. The priority of HSM is security, not crypto performance ;-) It means that more background workers don't necessarily give higher performance. Daniel On 8/16/21 9:36 AM, Laura Smith wrote: > Thanks for the clarification Daniel, appreciate it. > > If you (or anyone on list) has ideas for HSMs to buy that work well with parallel workers but don't cost $$$$, I am open to suggestions. ;-) > > Laura > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Monday, August 16th, 2021 at 7:36 AM, Daniel Salzman <daniel.salzman(a)nic.cz> wrote: > >> Hi Laura, >> >> Knot DNS uses GnuTLS PKCS #11 API, which is based on p11-kit. So use_file_caching isn't supported. >> >> As Libor already wrote, setting background workers to 1 might help. Some HSMs don't work well with parallel signing workers. >> >> Best, >> >> Daniel >> >> On 8/10/21 6:29 PM, Laura Smith wrote: >> >>> I am working on a Knot deployment that uses Nitrokey HSM[1] as a PKCS11 platform. >>> >>> As you might imagine, for a small USB device, the Nitrokey is not exactly the most performant HSM in the world. >>> >>> My configuration works great with one or two test zones. But when I start ramping up the number of zones, I start seeing weird problems with Knot (e.g. " blocked zone update due to open control transaction" errors ... which don't seem to be errors because my code debug shows the "zone-commit" being run, but it still leaves the Knot database in a weird corrupt state where I cannot even "conf-unset" a domain even if it is clearly existing in "conf-read"). >>> >>> Looking around the internet, it seems "OpenSC use_file_caching " might be the answer[2]. Does Knot support this ? >>> >>> [1] https://www.nitrokey.com/files/doc/Nitrokey_HSM_factsheet.pdf >>> >>> [2]https://support.nitrokey.com/t/slow-initialization-of-nitrokey-hsm/2906/6 >> -- >> >> https://lists.nic.cz/mailman/listinfo/knot-dns-users