Question about message "your system is lacking dev/random (or equivalent)"
Khuu, Linh MicroTech
Linh.Khuu at ssa.gov
Mon Apr 19 09:59:38 UTC 2010
I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and /dev/urandom.
# odmget CuDvDr | grep -p random
CuDvDr:
resource = "ddins"
value1 = "random"
value2 = "34"
value3 = ""
crw-r--r-- 1 root system 34, 0 Feb 26 2009 random
crw-r--r-- 1 root system 34, 1 Feb 26 2009 urandom
I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of DNS servers are running with no problem. The other 2 show error in the dnssec log:
13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918:
3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset
(keyid=47948): You must use the keyboard to create entropy, since
your system is lacking
/dev/random (or equivalent)
Linh Khuu
-----Original Message-----
From: Warren Kumari [mailto:warren at kumari.net]
Sent: Tuesday, April 13, 2010 3:43 PM
To: Khuu, Linh MicroTech
Cc: 'bind-users at lists.isc.org'
Subject: Re: Question about message "your system is lacking dev/random (or equivalent)"
On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote:
> I just turned on the dnssec-validation today, and I saw lots of
> messages:
>
> 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918:
> 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset
> (keyid=47948): You must use the keyboard to create entropy, since
> your system is lacking
> /dev/random (or equivalent)
>
> 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638:
> usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the
> keyboard to create entropy, since your system is lacking
> /dev/random (or equivalent)
>
> 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28:
> usps.gov SOA: verify rdataset (keyid=43133): You must use the
> keyboard to create entropy, since your system is lacking
> /dev/random (or equivalent)
>
> Is this a problem with dnssec on my DNS server?
Did you build BIND yourself? When BIND starts does it log anything
like: "--with-randomdev=<something>"?
What operating system, etc? You haven't really provided very much
useful information in your question...
DNSSEC needs entropy for signing -- it believes that your system does
not provide a useful source of entropy (do you have a /dev/random?)
and so it want you to add some. This is not a BIND problem, it is an
OS (or more likely configuration issue).
W
>
> Linh Khuu
> Network Security Specialist
> MicroTech ESS Contract
> Office: 410-966-0798
> Pager: 410-232-2350
> Email: Linh.Khuu at ssa.gov
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
If the bad guys have copies of your MD5 passwords, then you have way
bigger problems than the bad guys having copies of your MD5 passwords.
-- Richard A Steenbergen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 183 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100419/64b0a7b3/attachment.bin>
More information about the bind-users
mailing list