/dev/random in chroot jail causing errors with nsupdate of dnssec signed zone
Mark Andrews
Mark_Andrews at isc.org
Fri May 15 01:51:47 UTC 2009
In message <4B18A8F75A6384449755BC7784073E93603B776C52 at exch11.olympus.f5net.com
>, Jack Tavares writes:
> One other thing:
> when I remove /dev/random from the chroot, bind just uses the
> pre-chroot /dev/random
> 14-May-2009 14:09:51.065 could not open entropy source /dev/random: file no=
> t found
> 14-May-2009 14:09:51.065 using pre-chroot entropy source /dev/random
> which is groovy.
> So I guess I dont need the chroot random, but I would still like
> to know why using the chrooted /dev/random causes this problem.
Some versions of OpenSSL do unconditional RSA blinding and
this uses /dev/random. RSA blinding is needed when you are
establishing a encrypted connection such as with SSL. It
is not needed when generating RRSIG's and we disable it
when we can.
I suspect that /dev/random is not returning enough random
data and that the RSA blinding operation is failing as a
result.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list