dnssec-keygen + Bind 9.4.2 RC2

Chris Buxton cbuxton at menandmice.com
Tue Nov 20 19:56:08 UTC 2007 

On Nov 20, 2007, at 9:39 AM, Dave Knight wrote:
> Try those again with:
>
>   -r /dev/urandom
>
> dave
>
> On 20-Nov-07, at 12:29 PM, Laurent Archambault wrote:
>
>> Hello all,
>> For personnal exprimentation, i test DNSSEC on my DNS (Bind 9.4.2
>> RC2).
>> And for the first command :
>> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE 1.168.192.in-
>> addr.arpa.
>> this command as take (+-) 15/20 secondes for make 2 keys.
>>
>> And just after with this command (similar) :
>> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE archi.amt.
>> Karchi.amt.+005+28279
>> Thiis command has finish after 5 hours and with intel 2x core ...
>>
>> Is this normal ?
>>

More specifically, the problem is that /dev/random is running out of  
entropy, at which point is stops outputting data. /dev/urandom does  
not stop at that point.

Here's an apropos reference from the FreeBSD manpage for /dev/random  
and /dev/urandom:

> The two other interfaces are two character devices /dev/random and / 
> dev/urandom. The /dev/random device is suitable for use when very  
> high quality randomness is desired (e.g. for key generation), as it  
> will only return a maximum of the number of bits of randomness (as  
> estimated by the random number generator) contained in the entropy  
> pool.
> The /dev/urandom device does not have this limit, and will return as  
> many bytes as are requested. As more and more random bytes are  
> requested without giving time for the entropy pool to recharge, this  
> will result in lower quality random numbers. For many applications,  
> however, this is acceptable.
>


I would be interested to know if anyone has a better solution than  
using /dev/urandom for a typical server, on which there are no  
keyboard events and precious few other interrupts to use as sources of  
entropy. The BIND 9 name server maintains its own entropy pool, as  
evidenced by a recent security update. However, for applications that  
need to use a device node for randomness on the server, there does not  
appear to me to be a good solution.

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone:   +354 412 1500
Email:   cbuxton at menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

More information about the bind-users mailing list