GitLab

I'm running Knot 3.0.6 on Fedora 34 and experimenting with a SmartCard-HSM as described in this blog post I wrote.

During ZSK rollover, the server goes into what appears to be an endless loop attempting to generate a new key, but this occurs after a short while only, sometimes after having created 7, other time 4 keys successfully.

I have now compiled from source and have nailed the problem down to pkcs_generate_key(). After adding debugging statement, I see this output when the errors begin:

2021-06-07T12:36:17+0200 info: [example.net.] DNSSEC, signing zone
**** JP: gnutls_pkcs11_privkey_generate3: 0xFFFFFECC
2021-06-07T12:36:17+0200 warning: [example.net.] DNSSEC, key rollover, action generate (key generation error)
2021-06-07T12:36:17+0200 error: [example.net.] DNSSEC, failed to initialize (key generation error)

(The **** JP: line is an fprintf())

I have pasted the full log here.

This machine is running Fedora 34 on a (physical) Thinkpad T420. As described in the blog, under the assumption that the issue is due to missing entropy, I have launched haveged, but that only slightly prolongs the duration until the error appears.

Is there something I can do to provide more information?