dnssec-keygen + Bind 9.4.2 RC2
Chris Buxton
cbuxton at menandmice.com
Tue Nov 20 19:56:08 UTC 2007
On Nov 20, 2007, at 9:39 AM, Dave Knight wrote:
> Try those again with:
>
> -r /dev/urandom
>
> dave
>
> On 20-Nov-07, at 12:29 PM, Laurent Archambault wrote:
>
>> Hello all,
>> For personnal exprimentation, i test DNSSEC on my DNS (Bind 9.4.2
>> RC2).
>> And for the first command :
>> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE 1.168.192.in-
>> addr.arpa.
>> this command as take (+-) 15/20 secondes for make 2 keys.
>>
>> And just after with this command (similar) :
>> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE archi.amt.
>> Karchi.amt.+005+28279
>> Thiis command has finish after 5 hours and with intel 2x core ...
>>
>> Is this normal ?
>>
More specifically, the problem is that /dev/random is running out of
entropy, at which point is stops outputting data. /dev/urandom does
not stop at that point.
Here's an apropos reference from the FreeBSD manpage for /dev/random
and /dev/urandom:
> The two other interfaces are two character devices /dev/random and /
> dev/urandom. The /dev/random device is suitable for use when very
> high quality randomness is desired (e.g. for key generation), as it
> will only return a maximum of the number of bits of randomness (as
> estimated by the random number generator) contained in the entropy
> pool.
> The /dev/urandom device does not have this limit, and will return as
> many bytes as are requested. As more and more random bytes are
> requested without giving time for the entropy pool to recharge, this
> will result in lower quality random numbers. For many applications,
> however, this is acceptable.
>
I would be interested to know if anyone has a better solution than
using /dev/urandom for a typical server, on which there are no
keyboard events and precious few other interrupts to use as sources of
entropy. The BIND 9 name server maintains its own entropy pool, as
evidenced by a recent security update. However, for applications that
need to use a device node for randomness on the server, there does not
appear to me to be a good solution.
Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbuxton at menandmice.com
www.menandmice.com
Men & Mice
We bring control and flexibility to network management
More information about the bind-users
mailing list