We are designing our new signer infrastructure, and are working towards a situation where we can have two concurrent, independent signers running in parallel, where one is active, and one is a hot standby. To make this work, we need to replicate HSM state between the two signers, and when we started digging in, we realised that it might be a worthwhile improvement to the OpenDNSSEC signer to have it optionally use a read-only session to the HSM through the PKCS #11 library. The advantage of this is that there is an absolute guarantee that the signer does not modify the state of the HSM, and that any optimisations that the PKCS #11 library has that come with the HSM for dealing with read-only sessions are used (e.g. tracking of changes to the HSM token state when keys are generated). We can then separately perform controlled runs of the Enforcer (or equivalent tool) and synchronise HSM states after such a run.
What is needed?
- For this change, libhsm will need to be modified to optionally support opening a CKF_RO_SESSION when calling C_OpenSession (it currently does this at three points in the code).
- The signer will need to be modified to support a configuration parameter (either in a configuration file, or on the command-line, or both) to optionally enable using read-only sessions
- The signer will need to be modified to pass the configuration option for read-only sessions to libhsm
We propose to make this an optional configuration, with the default behaviour set to using R/W sessions (current behaviour), to deal with potentially broken PKCS #11 implementations
We are willing to provide patches to implement this functionality; please assign the issue to Rick van Rein if you would like us to do this.