DNSSEC - many doubts

[Timothe Litt]

The entropy problem is especially severe in many VMs.  Besides Warren's
suggestion:

Many current machines have hardware random noise sources that solve (or
at least
put a big dent) into the entropy problem.  A raspberry Pi is
inexpensive, and unless you
are generating zillions of keys, will solve most of these issues.  I use
entropy broker
https://www.vanheusden.com/entropybroker/ to distribute entropy from a Pi to
my network.  (And you can always add another RPi.)  I don't recall the
last time
I ran out of entropy - and no, I'm not talking about the "organization"
of my physical
desktop :-)

For a while, there USB keys with entropy sources were a good choice -
but with
hardware sources built into most CPUs, I think their time has passed. 
The same
low-power RPi that feeds entropy is also a great NTP server, VPN gateway
and a
few other things - for ~USD 40.  Or any Intel or AMD cpu since ~2015 has
RDRAND/RDSEED.

There are some religious arguments about booby-trapped hardware sources -
these days, kernels will mix all sources, so I don't get too upset.  But
YMMV.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

On 02-Apr-20 11:58, Warren Kumari wrote:
> On Thu, Apr 2, 2020 at 11:14 AM David Alexandre M. de Carvalho
> <david at di.ubi.pt> wrote:
>> Hello, good afternoon.
>> My first post in this list :)
>>
>> I'm running BIND Chroot for many years (currently version 9.8.2) on some old hardware running Oracle Linux 6.
>> I believe it was last year when I was reading about implementing DNSSEC, and I think I've even tried to generate a
>> keypair in the slowest server, which after more than a day, wasn't ready yet. Maybe I was doing something wrong, I
>> honestly don't know.
> You almost definitely were -- even a really really slow machine should
> be able to generate keys in a small number of seconds -- you didn't
> list what commands you used, but I'm going to assume you were trying
> to generate an rsa key - you should be able to get a feel for how long
> this takes by running:
> time openssl genrsa -out private.key 2048
> or
> time openssl genrsa -out private.key 4096
>  (note that this is very different to running 'openssl speed rsa2048
> rsa4096', which benchmarks RSA operations, not key generations).
>
> I'm fairly sure that your issue was a lack of entropy -- in order to
> generate crypograohically good keys, you need good a good source of
> randomness. If you are running an older machine and older kernel, the
> /dev/random source is blocking, and if you try and read too much from
> it it will just hang until it has enough entropy to give "safe"
> output. Newer kernels do a better job of mixing in external event
> noise, but there are a number of modules which help with this -
> haveged being the best known (http://www.issihosts.com/haveged/ ).
> You could also test if this is the issue by using /dev/urandom, which
> doesn't block, or 'while true; do cat
> /proc/sys/kernel/random/entropy_avail; sleep 2; done' and see if the
> available entropy drops to zero during key generation...
>
> W
>
>> So now I had some time and reading about this again.
>>
>> If I query either of my servers about my domain:
>> dig @dns di.ubi.pt DNSKEY
>> I do get the DNSKEY, but I have no records when querying about +dnssec. My topdomain (ubi.pt) doesn't have DNSSEC yet
>> either.
>>
>> my named.conf already has the following:
>>
>>         dnssec-enable yes;
>>         dnssec-validation auto;
>>         dnssec-lookaside auto;
>>         bindkeys-file "/etc/named.iscdlv.key";
>>         managed-keys-directory "/var/named/dynamic";
>>
>> Outside the configuration file I also have a /etc/named.root.key
>>
>> My questions:
>> 1) Will my old servers (1GB RAM) become much slower with  DNSSEC? Is it worth it?
>> 2) I have one global "hosts" file and 3 reverse zone files, each for the respective IP network. Can I use the same
>> Keypair in all of them?
>> 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already being used? I compared them to the result
>> of the DNSKEY dig query but they are different.
>>
>> Thank you so much for your time!
>> Best regards
>>
>> Os melhores cumprimentos
>> David Alexandre M. de Carvalho
>> ---------------------------------------
>> Especialista de Informática
>> Departamento de Informática
>> Universidade da Beira Interior
>>
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200403/651feacb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200403/651feacb/attachment.bin>