DNSSEC Generating Zone Key hanging

Mark Elkins mje at posix.co.za
Sun Apr 22 09:54:25 UTC 2012 

On Sat, 2012-04-21 at 20:28 -0400, Bill Owens wrote:
> On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote:
> >    Hello,
> >    I was setting up BIND DNSSEC and when I issue the following command the
> >    process never finishes.
> >    dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
> >    I straced the process and noticed the following messages
> >    write(2, "Generating key pair.", 20Generating key pair.)    = 20
> >    gettimeofday({1335044641, 756413}, NULL) = 0
> >    read(3, "s\2161\363\364<\1s1\343\311\212\1", 64) = 13
> >    read(3, 0x7fffcac9c960, 51)             = -1 EAGAIN (Resource temporarily
> >    unavailable)
> >    select(4, [3], [], NULL, NULL)          = 1 (in [3])
> >    read(3, "p\32\254\352$\264:\22", 51)    = 8
> >    read(3, 0x7fffcac9c960, 43)             = -1 EAGAIN (Resource temporarily
> >    unavailable)
> >    select(4, [3], [], NULL, NULL)          = 1 (in [3])
> >    read(3, "\370\270\363IE\342X\343", 43)  = 8
> >    read(3, 0x7fffcac9c960, 35)             = -1 EAGAIN (Resource temporarily
> >    unavailable)
> >    select(4, [3], [], NULL, NULL)          = 1 (in [3])
> >    My machine is a virtual host, does anyone have any ideas what resource is
> >    temporarily unavailable. 
> 
> /dev/random - VMs, with no keyboard or mouse, don't accumulate enough
> entropy to keep /dev/random full. Installing haveged would probably
> help; or consider generating keys on a machine with a decent amount of
> entropy and securely moving them to your VM.

> Bill.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


Yes - lack of Entropy, try...
if=/dev/random of=/dev/null bs=128 count=1
... a few times.

Check your entropy levels....
cat /proc/sys/kernel/random/entropy_avail

The package "haveged" does a very reasonable job - I found a description
of it at: www.irisa.fr/caps/projects/hipsor

or you can buy a hardware entropy source (USB dongle like device)

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120422/2aeae67d/attachment.bin>

More information about the bind-users mailing list