DNSSEC - many doubts

Warren Kumari warren at kumari.net
Thu Apr 2 15:58:38 UTC 2020

On Thu, Apr 2, 2020 at 11:14 AM David Alexandre M. de Carvalho
<david at di.ubi.pt> wrote:
> Hello, good afternoon.
> My first post in this list :)
> I'm running BIND Chroot for many years (currently version 9.8.2) on some old hardware running Oracle Linux 6.
> I believe it was last year when I was reading about implementing DNSSEC, and I think I've even tried to generate a
> keypair in the slowest server, which after more than a day, wasn't ready yet. Maybe I was doing something wrong, I
> honestly don't know.

You almost definitely were -- even a really really slow machine should
be able to generate keys in a small number of seconds -- you didn't
list what commands you used, but I'm going to assume you were trying
to generate an rsa key - you should be able to get a feel for how long
this takes by running:
time openssl genrsa -out private.key 2048
time openssl genrsa -out private.key 4096
 (note that this is very different to running 'openssl speed rsa2048
rsa4096', which benchmarks RSA operations, not key generations).

I'm fairly sure that your issue was a lack of entropy -- in order to
generate crypograohically good keys, you need good a good source of
randomness. If you are running an older machine and older kernel, the
/dev/random source is blocking, and if you try and read too much from
it it will just hang until it has enough entropy to give "safe"
output. Newer kernels do a better job of mixing in external event
noise, but there are a number of modules which help with this -
haveged being the best known (http://www.issihosts.com/haveged/ ).
You could also test if this is the issue by using /dev/urandom, which
doesn't block, or 'while true; do cat
/proc/sys/kernel/random/entropy_avail; sleep 2; done' and see if the
available entropy drops to zero during key generation...


> So now I had some time and reading about this again.
> If I query either of my servers about my domain:
> dig @dns di.ubi.pt DNSKEY
> I do get the DNSKEY, but I have no records when querying about +dnssec. My topdomain (ubi.pt) doesn't have DNSSEC yet
> either.
> my named.conf already has the following:
>         dnssec-enable yes;
>         dnssec-validation auto;
>         dnssec-lookaside auto;
>         bindkeys-file "/etc/named.iscdlv.key";
>         managed-keys-directory "/var/named/dynamic";
> Outside the configuration file I also have a /etc/named.root.key
> My questions:
> 1) Will my old servers (1GB RAM) become much slower with  DNSSEC? Is it worth it?
> 2) I have one global "hosts" file and 3 reverse zone files, each for the respective IP network. Can I use the same
> Keypair in all of them?
> 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already being used? I compared them to the result
> of the DNSKEY dig query but they are different.
> Thank you so much for your time!
> Best regards
> Os melhores cumprimentos
> David Alexandre M. de Carvalho
> ---------------------------------------
> Especialista de Informática
> Departamento de Informática
> Universidade da Beira Interior
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the bind-users mailing list