Question about message "your system is lacking dev/random (or equivalent)"
Warren Kumari
warren at kumari.net
Mon Apr 19 14:15:28 UTC 2010
A few things to try:
1: Make sure that /dev/urandom is actually doing something:
dd if=/dev/urandom bs=1k count=1 | strings
2: You might want to try the same thing on /dev/random, but you will
(probably) get way way less output -- you might want to look into
seeing if your machines has a hardware entropy source and can / does
expose it somewhere -- you can also investigate adding a hardware
random source. From a quick look online, AIX is much more restrictive
about its entropy sources, but you should be able to run a daemon that
adds entropy.
You should also see where BIIND believes it should suck randomness
from -- it will log this when it starts, mine looks like:
Mar 21 17:43:09 lisa named[27159]: starting BIND 9.7.0-P1 -u bind -t /
chroot/named -c /etc/bind/named.conf
Mar 21 17:43:09 lisa named[27159]: built with '--with-openssl=yes' '--
with-randomdev=/dev/urandom'
Mar 21 17:43:09 lisa named[27159]: using up to 4096 sockets
W
On Apr 19, 2010, at 5:59 AM, Khuu, Linh MicroTech wrote:
> I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and /
> dev/urandom.
>
> # odmget CuDvDr | grep -p random
> CuDvDr:
> resource = "ddins"
> value1 = "random"
> value2 = "34"
> value3 = ""
>
> crw-r--r-- 1 root system 34, 0 Feb 26 2009 random
> crw-r--r-- 1 root system 34, 1 Feb 26 2009 urandom
>
> I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of
> DNS servers are running with no problem. The other 2 show error in
> the dnssec log:
>
> 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918:
> 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset
> (keyid=47948): You must use the keyboard to create entropy, since
> your system is lacking
> /dev/random (or equivalent)
>
> Linh Khuu
> -----Original Message-----
> From: Warren Kumari [mailto:warren at kumari.net]
> Sent: Tuesday, April 13, 2010 3:43 PM
> To: Khuu, Linh MicroTech
> Cc: 'bind-users at lists.isc.org'
> Subject: Re: Question about message "your system is lacking dev/
> random (or equivalent)"
>
>
> On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote:
>
>> I just turned on the dnssec-validation today, and I saw lots of
>> messages:
>>
>> 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918:
>> 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset
>> (keyid=47948): You must use the keyboard to create entropy, since
>> your system is lacking
>> /dev/random (or equivalent)
>>
>> 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638:
>> usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the
>> keyboard to create entropy, since your system is lacking
>> /dev/random (or equivalent)
>>
>> 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28:
>> usps.gov SOA: verify rdataset (keyid=43133): You must use the
>> keyboard to create entropy, since your system is lacking
>> /dev/random (or equivalent)
>>
>> Is this a problem with dnssec on my DNS server?
>
> Did you build BIND yourself? When BIND starts does it log anything
> like: "--with-randomdev=<something>"?
> What operating system, etc? You haven't really provided very much
> useful information in your question...
>
> DNSSEC needs entropy for signing -- it believes that your system does
> not provide a useful source of entropy (do you have a /dev/random?)
> and so it want you to add some. This is not a BIND problem, it is an
> OS (or more likely configuration issue).
>
> W
>
>
>
>
>>
>> Linh Khuu
>> Network Security Specialist
>> MicroTech ESS Contract
>> Office: 410-966-0798
>> Pager: 410-232-2350
>> Email: Linh.Khuu at ssa.gov
>>
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> If the bad guys have copies of your MD5 passwords, then you have way
> bigger problems than the bad guys having copies of your MD5 passwords.
> -- Richard A Steenbergen
>
>
--
"Beware that the most effective way for someone to decrypt your data
may be with rubber hose." --- SSH 1.2.12 README
More information about the bind-users
mailing list