dnssec-keygen is waiting endless...

Doug Barton dougb at dougbarton.us
Fri May 28 21:18:14 UTC 2010


On 05/28/10 13:53, Michelle Konzack wrote:
> Hello Evan,
>
> Am 2010-05-28 18:33:14, hacktest Du folgendes herunter:
>>> Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version
>>> 1:9.7.0.dfsg.P1-1~bpo50+1
>>
>> I get the same problem on Ubuntu, which is Debian-based.  /dev/random
>> runs out of entropy rapidly and takes a long time to recover.
>
> I have tries it on Debian Etch, Lenny and Sid with the same result... On
> all three machines I have touse "-r /dev/urandom" which is realy weird.
...
> :-)   I have 38.000 Zones and on my "AMD Sempron 2200+" with 3 GByte  of
> memory it take arround 40 Second to create ONE signed zone fro a script.
>
> This mean, if I want to sign 38.000 zones it will run 18 days...

If you're planning to do production DNSSEC on Linux you really need to 
configure an entropy gathering daemon in order to properly seed your 
/dev/random device. You should be able to find resources for doing this 
on line, or in a help forum for your particular brand(s) of Linux.

You might also consider evaluating FreeBSD for your name servers, it 
comes with properly configured entropy gathering right out of the box, 
and our implementation of /dev/random uses a PRNG method that hands out 
high-quality "random" bits with very little danger of running out.


hth,

Doug

-- 

	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/




More information about the bind-users mailing list