DNSSEC Generating Zone Key hanging
Mark Elkins
mje at posix.co.za
Sun Apr 22 09:54:25 UTC 2012
On Sat, 2012-04-21 at 20:28 -0400, Bill Owens wrote:
> On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote:
> > Hello,
> > I was setting up BIND DNSSEC and when I issue the following command the
> > process never finishes.
> > dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
> > I straced the process and noticed the following messages
> > write(2, "Generating key pair.", 20Generating key pair.) = 20
> > gettimeofday({1335044641, 756413}, NULL) = 0
> > read(3, "s\2161\363\364<\1s1\343\311\212\1", 64) = 13
> > read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily
> > unavailable)
> > select(4, [3], [], NULL, NULL) = 1 (in [3])
> > read(3, "p\32\254\352$\264:\22", 51) = 8
> > read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily
> > unavailable)
> > select(4, [3], [], NULL, NULL) = 1 (in [3])
> > read(3, "\370\270\363IE\342X\343", 43) = 8
> > read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily
> > unavailable)
> > select(4, [3], [], NULL, NULL) = 1 (in [3])
> > My machine is a virtual host, does anyone have any ideas what resource is
> > temporarily unavailable.
>
> /dev/random - VMs, with no keyboard or mouse, don't accumulate enough
> entropy to keep /dev/random full. Installing haveged would probably
> help; or consider generating keys on a machine with a decent amount of
> entropy and securely moving them to your VM.
> Bill.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Yes - lack of Entropy, try...
if=/dev/random of=/dev/null bs=128 count=1
... a few times.
Check your entropy levels....
cat /proc/sys/kernel/random/entropy_avail
The package "haveged" does a very reasonable job - I found a description
of it at: www.irisa.fr/caps/projects/hipsor
or you can buy a hardware entropy source (USB dongle like device)
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120422/2aeae67d/attachment.bin>
More information about the bind-users
mailing list