Question about message "your system is lacking dev/random (or equivalent)"

Warren Kumari warren at kumari.net
Mon Apr 19 14:15:28 UTC 2010 

A few things to try:

1: Make sure that /dev/urandom is actually doing something:
dd if=/dev/urandom bs=1k count=1  | strings

2: You might want to try the same thing on /dev/random, but you will  
(probably) get way way less output -- you might want to look into  
seeing if your machines has a hardware entropy source and can / does  
expose it somewhere -- you can also investigate adding a hardware  
random source. From a quick look online, AIX is much more restrictive  
about its entropy sources, but you should be able to run a daemon that  
adds entropy.

You should also see where BIIND believes it should suck randomness  
from -- it will log this when it starts, mine looks like:
Mar 21 17:43:09 lisa named[27159]: starting BIND 9.7.0-P1 -u bind -t / 
chroot/named -c /etc/bind/named.conf
Mar 21 17:43:09 lisa named[27159]: built with '--with-openssl=yes' '-- 
with-randomdev=/dev/urandom'
Mar 21 17:43:09 lisa named[27159]: using up to 4096 sockets

W



On Apr 19, 2010, at 5:59 AM, Khuu, Linh MicroTech wrote:

> I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and / 
> dev/urandom.
>
> # odmget CuDvDr | grep -p random
> CuDvDr:
>        resource = "ddins"
>        value1 = "random"
>        value2 = "34"
>        value3 = ""
>
> crw-r--r--    1 root     system       34,  0 Feb 26 2009  random
> crw-r--r--    1 root     system       34,  1 Feb 26 2009  urandom
>
> I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of  
> DNS servers are running with no problem. The other 2 show error in  
> the dnssec log:
>
> 13-Apr-2010 15:17:17.122 dnssec: debug 3:   validating @202be918:
> 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset
> (keyid=47948): You must use the keyboard to create entropy, since
> your system is lacking
> /dev/random (or equivalent)
>
> Linh Khuu
> -----Original Message-----
> From: Warren Kumari [mailto:warren at kumari.net]
> Sent: Tuesday, April 13, 2010 3:43 PM
> To: Khuu, Linh MicroTech
> Cc: 'bind-users at lists.isc.org'
> Subject: Re: Question about message "your system is lacking dev/ 
> random (or equivalent)"
>
>
> On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote:
>
>> I just turned on the dnssec-validation today, and I saw lots of
>> messages:
>>
>> 13-Apr-2010 15:17:17.122 dnssec: debug 3:   validating @202be918:
>> 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset
>> (keyid=47948): You must use the keyboard to create entropy, since
>> your system is lacking
>> /dev/random (or equivalent)
>>
>> 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638:
>> usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the
>> keyboard to create entropy, since your system is lacking
>> /dev/random (or equivalent)
>>
>> 13-Apr-2010 15:26:37.385 dnssec: debug 3:   validating @202c0e28:
>> usps.gov SOA: verify rdataset (keyid=43133): You must use the
>> keyboard to create entropy, since your system is lacking
>> /dev/random (or equivalent)
>>
>> Is this a problem with dnssec on my DNS server?
>
> Did you build BIND yourself? When BIND starts does it log anything
> like: "--with-randomdev=<something>"?
> What operating system, etc? You haven't really provided very much
> useful information in your question...
>
> DNSSEC needs entropy for signing -- it believes that your system does
> not provide a useful source of entropy (do you have a /dev/random?)
> and so it want you to add some. This is not a BIND problem, it is an
> OS (or more likely configuration issue).
>
> W
>
>
>
>
>>
>> Linh Khuu
>> Network Security Specialist
>> MicroTech ESS Contract
>> Office: 410-966-0798
>> Pager: 410-232-2350
>> Email: Linh.Khuu at ssa.gov
>>
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> If the bad guys have copies of your MD5 passwords, then you have way
> bigger problems than the bad guys having copies of your MD5 passwords.
> -- Richard A Steenbergen
>
>

--
"Beware that the most effective way for someone to decrypt your data  
may be with rubber hose." --- SSH 1.2.12 README

More information about the bind-users mailing list