At Tue, 3 Jan 2017 10:09:42 +0100, Yuri Schaeffer wrote: ... > Moreover, ideally both daemons, but especially the signer run multiple > threads. With any thread being able to do HSM operations. What I've > heard from the Berlin workshop (I wasn't there myself) in order to get > OpenDNSSEC 1.4 running the Signer could use at most one thread. I > haven't tried multiple threads for that reason yet. Though I sounds like > it has the same underlying issue.
We were unable to reproduce this as a threading issue per se during or after the workshop. My suspicion is that it was an inter-process locking problem, not an inter-thread locking problem. PKCS #11 doesn't do anything at all about inter-process locking (out of scope), and, as you say, OpenDNSSEC's various daemons make no attempt to synchronize with each other, so having multiple daemons trying to talk to the same UART without a lock was, um, problematic. So we added a lock, which is what you ran into. As far as I know, the inter-thread PKCS #11 locking works. At the moment, running multiple threads won't give you any kind of performance boost (it'll probably cost performance due to threading and lock overhead), but it shouldn't cause errors. But of course this needs to be confirmed by testing. _______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
