suggestions for a hardware random number generator?
Mark Andrews
Mark_Andrews at isc.org
Thu Sep 4 14:44:36 UTC 2008
> It takes me about 85 minutes to generate a 1024 bit key for dnssec.
> I'd like to install a
> random number generator to speed the process up. Do you have any
> suggestions, recommendations or reviews that I might consider?
>
> thanks,
> -Marcus
Or just ask on a list for your OS on how to properly configure
your /dev/random.
On a properly configured machine you should be able to
generate multiple 1024 bit keys a second.
% time dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n zone example.net
Kexample.net.+005+39426
0.150u 0.000s 0:00.17 88.2% 476+286k 0+0io 1pf+0w
%
Mark
> On Sat, Aug 30, 2008 at 8:17 PM, Mark Andrews <Mark_Andrews at isc.org> wrote:
> >
> >> On Sun, 31 Aug 2008 02:40:36 you wrote:
> >> > > Hello all-
> >> > >
> >> > > The following command-
> >> > >
> >> > > /usr/local/sbin/dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 1024
> -n
> >> > > ZON E
> >> > > example.com
> >> > >
> >> > > stalls. The system is Slackware Linux 12.1 with kernel 2.6.23-11.
> >> > >
> >> > > Michael
> >> >
> >> > You need to cause the kernel to gather entropy. The way to
> >> > do that is to make the kernel do work.
> >> >
> >> > e.g.
> >> > ls -R /
> >>
> >> While this does increase the entropy to over 3,000, it still doesn't work
> (an
> >> d
> >> the entropy sinks within a few seconds anyway)
> >
> > When generating large keys I just keep running "ls -R /" until the
> > key generation completes. You can also use the keyboard. Install
> > a hardware random number generator and configure the kernel to use
> > it (might require a OS change as I don't know if this is supported
> > under Linux).
> >
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
> >
> >
>
>
>
> --
> Marcus Morgan
> UF/OIT/CNS/NS/S
> marcus at ufl.edu
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list