random-device purpose in DNSSEC

Warren Kumari warren at kumari.net
Thu May 10 20:14:01 UTC 2012


On May 10, 2012, at 3:41 PM, Alexander Gurvitz wrote:

> Hello all.
> 
> What random device used for ?
> ARM says "Entropy is primarily needed for DNSSEC operations,
> such as ... dynamic update of signed zones". I don't get why signing a zone
> requires any randomness.
> 
> This bothers me as I'm implementing DNSSEC now, and I know that my systems
> are low at entropy, and BIND default random-device is /dev/random,
> and it (the device) blocks when there's no entropy available.

Multiple options:
1: install haveged (http://www.irisa.fr/caps/projects/hipsor/) -- this will provide you with much randomness [0].
2: buy a USB entropy widget (for example: http://www.entropykey.co.uk/)
3: See if there is a driver for your TPM -- many boxes have them, and many provide good randomness.
4: NOT RECOMMENDED: use /dev/urandom (only for testing)

> 
> Does BIND really needs that entropy, and how much ?

Yup. Well, BIND doesn't , but key generation does…

W
[0]: well, entropy, but I wanted to write much randomness… and I did...

> 
> Regards,
> Alexander Gurvitz,
> net-me.net
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 




More information about the bind-users mailing list