BIND 9's entropy consumption

Tom Limoncelli tal at whatexit.org
Wed Apr 2 21:44:27 UTC 2014


Hi!

I have 4 DNS servers all running BIND 9.8.2 (the CentOS 6.5 package).  One
is configured as the master for about 100 zones.  The other 3 are slaves
for those 100 zones.  On the master the amount of entropy reported by "cat
/proc/sys/kernel/random/entropy_avail" was around 150.  On the slaves it
hovered around 90.

Is there a technical reason for the difference?

There is a graph of one of the slaves here:
http://serverfault.com/questions/582908/entropy-deprivation-on-bind-named-servers

Note: I've since enabled "rngd" and the available entropy hovers around 2k.
 So there problem is "solved" that way, but it still makes me very
concerned that the amount of entropy in use was so different.  There is no
DNSSEC configured, no incremenal zone transfers (just notifications sent
from the master to all slaves).

Anyone have any theories on why this might be?

Thanks in advance,
Tom


The specific version is:

# named -V
BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 built with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=
-DDIG_SIGCHASE'
using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.7.6

-- 
Email: tal at whatexit.org    Work: tlimoncelli at StackOverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140402/c5ea4b77/attachment.html>


More information about the bind-users mailing list