Question about message "your system is lacking dev/random (or equivalent)"

Khuu, Linh MicroTech Linh.Khuu at ssa.gov
Mon Apr 19 09:59:38 UTC 2010 

I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and /dev/urandom.

# odmget CuDvDr | grep -p random
CuDvDr:
        resource = "ddins"
        value1 = "random"
        value2 = "34"
        value3 = ""

crw-r--r--    1 root     system       34,  0 Feb 26 2009  random
crw-r--r--    1 root     system       34,  1 Feb 26 2009  urandom

I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of DNS servers are running with no problem. The other 2 show error in the dnssec log:

13-Apr-2010 15:17:17.122 dnssec: debug 3:   validating @202be918:  
 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset  
 (keyid=47948): You must use the keyboard to create entropy, since  
 your system is lacking
 /dev/random (or equivalent)

Linh Khuu
-----Original Message-----
From: Warren Kumari [mailto:warren at kumari.net] 
Sent: Tuesday, April 13, 2010 3:43 PM
To: Khuu, Linh MicroTech
Cc: 'bind-users at lists.isc.org'
Subject: Re: Question about message "your system is lacking dev/random (or equivalent)"


On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote:

> I just turned on the dnssec-validation today, and I saw lots of  
> messages:
>
> 13-Apr-2010 15:17:17.122 dnssec: debug 3:   validating @202be918:  
> 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset  
> (keyid=47948): You must use the keyboard to create entropy, since  
> your system is lacking
> /dev/random (or equivalent)
>
> 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638:  
> usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the  
> keyboard to create entropy, since your system is lacking
> /dev/random (or equivalent)
>
> 13-Apr-2010 15:26:37.385 dnssec: debug 3:   validating @202c0e28:  
> usps.gov SOA: verify rdataset (keyid=43133): You must use the  
> keyboard to create entropy, since your system is lacking
> /dev/random (or equivalent)
>
> Is this a problem with dnssec on my DNS server?

Did you build BIND yourself? When BIND starts does it log anything  
like: "--with-randomdev=<something>"?
What operating system, etc? You haven't really provided very much  
useful information in your question...

DNSSEC needs entropy for signing -- it believes that your system does  
not provide a useful source of entropy (do you have a /dev/random?)  
and so it want you to add some. This is not a BIND problem, it is an  
OS (or more likely configuration issue).

W




>
> Linh Khuu
> Network Security Specialist
> MicroTech ESS Contract
> Office: 410-966-0798
> Pager: 410-232-2350
> Email: Linh.Khuu at ssa.gov
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
If the bad guys have copies of your MD5 passwords, then you have way  
bigger problems than the bad guys having copies of your MD5 passwords.
-- Richard A Steenbergen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 183 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100419/64b0a7b3/attachment.bin>

More information about the bind-users mailing list