dnssec-keygen + Bind 9.4.2 RC2
Mark Andrews
Mark_Andrews at isc.org
Wed Nov 21 00:26:14 UTC 2007
> On Nov 20, 2007, at 9:39 AM, Dave Knight wrote:
> > Try those again with:
> >
> > -r /dev/urandom
> >
> > dave
> >
> > On 20-Nov-07, at 12:29 PM, Laurent Archambault wrote:
> >
> >> Hello all,
> >> For personnal exprimentation, i test DNSSEC on my DNS (Bind 9.4.2
> >> RC2).
> >> And for the first command :
> >> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE 1.168.192.in-
> >> addr.arpa.
> >> this command as take (+-) 15/20 secondes for make 2 keys.
> >>
> >> And just after with this command (similar) :
> >> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE archi.amt.
> >> Karchi.amt.+005+28279
> >> Thiis command has finish after 5 hours and with intel 2x core ...
> >>
> >> Is this normal ?
> >>
>
> More specifically, the problem is that /dev/random is running out of
> entropy, at which point is stops outputting data. /dev/urandom does
> not stop at that point.
>
> Here's an apropos reference from the FreeBSD manpage for /dev/random
> and /dev/urandom:
>
> > The two other interfaces are two character devices /dev/random and /
> > dev/urandom. The /dev/random device is suitable for use when very
> > high quality randomness is desired (e.g. for key generation), as it
> > will only return a maximum of the number of bits of randomness (as
> > estimated by the random number generator) contained in the entropy
> > pool.
> > The /dev/urandom device does not have this limit, and will return as
> > many bytes as are requested. As more and more random bytes are
> > requested without giving time for the entropy pool to recharge, this
> > will result in lower quality random numbers. For many applications,
> > however, this is acceptable.
> >
>
>
> I would be interested to know if anyone has a better solution than
> using /dev/urandom for a typical server, on which there are no
> keyboard events and precious few other interrupts to use as sources of
> entropy. The BIND 9 name server maintains its own entropy pool, as
> evidenced by a recent security update. However, for applications that
> need to use a device node for randomness on the server, there does not
> appear to me to be a good solution.
You just make the machine do work. "ls -R /" will keep the
disk busy. Do that over a remote connection then there are
more sources of interupts.
for rsa you only need entropy at key generation time.
> Chris Buxton
> Professional Services
> Men & Mice
> Address: Noatun 17, IS-105, Reykjavik, Iceland
> Phone: +354 412 1500
> Email: cbuxton at menandmice.com
> www.menandmice.com
>
> Men & Mice
> We bring control and flexibility to network management
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list