Slow zone signing with ECDSA
Tony Finch
dot at dotat.at
Thu Apr 20 10:07:33 UTC 2017
Mark Andrews <marka at isc.org> wrote:
>
> DSA requires random values as part of the signing process.
Traditionally, yes, but it isn't actually required -
https://tools.ietf.org/html/rfc6979
(PuTTY has been using deterministic DSA since 2001, because of
problems with obtaining random numbers on old versions of Windows.
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=d345ebc2a5)
You should always use /dev/urandom to get random numbers unless your
system has a better API like getrandom(2) or getentropy(2). On Linux,
gaveged is a good way to stop /dev/random blocking unenlightened software.
https://www.2uo.de/myths-about-urandom/
https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Rockall, Malin, Hebrides: Westerly or southwesterly, veering northwesterly
later in north Rockall and Hebrides, 4 or 5, increasing 6 at times. Moderate
or rough, becoming very rough in north Hebrides. Rain at times. Good,
occasionally poor.
More information about the bind-users
mailing list