bind-9.9.5 regression test error
Christoph Moench-Tegeder
cmt at burggraben.net
Thu Feb 13 06:16:17 UTC 2014
## Doug Barton (dougb at dougbarton.us):
> If you don't have enough random bits on your system to run these simple
> tests, your /dev/random is seriously underpopulated, and likely a
> security risk. You should definitely not put BIND in production compiled
> with the option you mention above.
Our build/test environment is not our production environment.
Further, the ideas about "random numbers for practical purposes"
have shifted a bit. In short, you don't really need "high real entropy",
but a stream of numbers *unpredictable to the adversary*. See:
http://www.metzdowd.com/pipermail/cryptography/2014-February/019920.html
http://blog.cr.yp.to/20140205-entropy.html
http://iang.org/ssl/hard_truths_hard_random_numbers.html
In fact, on systems like FreeBSD you never get to see the "entropy"
directly, you only get the output of a PRNG (yarrow in this case),
which is periodically reseeded with "real entropy".
Even linux ranodm(4) suggests to use /dev/urandom in most cases, as
frequent reads on /dev/random will deplete the entropy pool and make
/dev/random unusuable for those who really need it.
Regards,
Christoph
--
Spare Space
More information about the bind-users
mailing list