random-device purpose in DNSSEC
warren at kumari.net
Thu May 10 20:14:01 UTC 2012
On May 10, 2012, at 3:41 PM, Alexander Gurvitz wrote:
> Hello all.
> What random device used for ?
> ARM says "Entropy is primarily needed for DNSSEC operations,
> such as ... dynamic update of signed zones". I don't get why signing a zone
> requires any randomness.
> This bothers me as I'm implementing DNSSEC now, and I know that my systems
> are low at entropy, and BIND default random-device is /dev/random,
> and it (the device) blocks when there's no entropy available.
1: install haveged (http://www.irisa.fr/caps/projects/hipsor/) -- this will provide you with much randomness .
2: buy a USB entropy widget (for example: http://www.entropykey.co.uk/)
3: See if there is a driver for your TPM -- many boxes have them, and many provide good randomness.
4: NOT RECOMMENDED: use /dev/urandom (only for testing)
> Does BIND really needs that entropy, and how much ?
Yup. Well, BIND doesn't , but key generation does…
: well, entropy, but I wanted to write much randomness… and I did...
> Alexander Gurvitz,
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users