dnssec-keygen + Bind 9.4.2 RC2

Mark Andrews Mark_Andrews at isc.org
Wed Nov 21 00:26:14 UTC 2007 

> On Nov 20, 2007, at 9:39 AM, Dave Knight wrote:
> > Try those again with:
> >
> >   -r /dev/urandom
> >
> > dave
> >
> > On 20-Nov-07, at 12:29 PM, Laurent Archambault wrote:
> >
> >> Hello all,
> >> For personnal exprimentation, i test DNSSEC on my DNS (Bind 9.4.2
> >> RC2).
> >> And for the first command :
> >> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE 1.168.192.in-
> >> addr.arpa.
> >> this command as take (+-) 15/20 secondes for make 2 keys.
> >>
> >> And just after with this command (similar) :
> >> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE archi.amt.
> >> Karchi.amt.+005+28279
> >> Thiis command has finish after 5 hours and with intel 2x core ...
> >>
> >> Is this normal ?
> >>
> 
> More specifically, the problem is that /dev/random is running out of  
> entropy, at which point is stops outputting data. /dev/urandom does  
> not stop at that point.
> 
> Here's an apropos reference from the FreeBSD manpage for /dev/random  
> and /dev/urandom:
> 
> > The two other interfaces are two character devices /dev/random and / 
> > dev/urandom. The /dev/random device is suitable for use when very  
> > high quality randomness is desired (e.g. for key generation), as it  
> > will only return a maximum of the number of bits of randomness (as  
> > estimated by the random number generator) contained in the entropy  
> > pool.
> > The /dev/urandom device does not have this limit, and will return as  
> > many bytes as are requested. As more and more random bytes are  
> > requested without giving time for the entropy pool to recharge, this  
> > will result in lower quality random numbers. For many applications,  
> > however, this is acceptable.
> >
> 
> 
> I would be interested to know if anyone has a better solution than  
> using /dev/urandom for a typical server, on which there are no  
> keyboard events and precious few other interrupts to use as sources of  
> entropy. The BIND 9 name server maintains its own entropy pool, as  
> evidenced by a recent security update. However, for applications that  
> need to use a device node for randomness on the server, there does not  
> appear to me to be a good solution.
 
	You just make the machine do work.   "ls -R /" will keep the
	disk busy.  Do that over a remote connection then there are
	more sources of interupts.

	for rsa you only need entropy at key generation time.

> Chris Buxton
> Professional Services
> Men & Mice
> Address: Noatun 17, IS-105, Reykjavik, Iceland
> Phone:   +354 412 1500
> Email:   cbuxton at menandmice.com
> www.menandmice.com
> 
> Men & Mice
> We bring control and flexibility to network management
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list