Knot 3.0.6 stops generating PKCS#11 keys with "key generation error"
I'm running Knot 3.0.6 on Fedora 34 and experimenting with a SmartCard-HSM as described in this blog post I wrote.
During ZSK rollover, the server goes into what appears to be an endless loop attempting to generate a new key, but this occurs after a short while only, sometimes after having created 7, other time 4 keys successfully.
I have now compiled from source and have nailed the problem down to pkcs_generate_key(). After adding debugging statement, I see this output when the errors begin:
2021-06-07T12:36:17+0200 info: [example.net.] DNSSEC, signing zone
**** JP: gnutls_pkcs11_privkey_generate3: 0xFFFFFECC
2021-06-07T12:36:17+0200 warning: [example.net.] DNSSEC, key rollover, action generate (key generation error)
2021-06-07T12:36:17+0200 error: [example.net.] DNSSEC, failed to initialize (key generation error)
(The **** JP:
line is an fprintf())
I have pasted the full log here.
This machine is running Fedora 34 on a (physical) Thinkpad T420. As described in the blog, under the assumption that the issue is due to missing entropy, I have launched haveged, but that only slightly prolongs the duration until the error appears.
Is there something I can do to provide more information?