<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>The entropy problem is especially severe in many VMs. Besides
Warren's<br>
suggestion:<br>
</p>
<p>Many current machines have hardware random noise sources that
solve (or at least<br>
put a big dent) into the entropy problem. A raspberry Pi is
inexpensive, and unless you<br>
are generating zillions of keys, will solve most of these issues.
I use entropy broker<br>
<a href="https://www.vanheusden.com/entropybroker/">https://www.vanheusden.com/entropybroker/</a>
to distribute entropy from a Pi to<br>
my network. (And you can always add another RPi.) I don't recall
the last time<br>
I ran out of entropy - and no, I'm not talking about the
"organization" of my physical<br>
desktop :-)</p>
<p>For a while, there USB keys with entropy sources were a good
choice - but with<br>
hardware sources built into most CPUs, I think their time has
passed. The same<br>
low-power RPi that feeds entropy is also a great NTP server, VPN
gateway and a<br>
few other things - for ~USD 40. Or any Intel or AMD cpu since
~2015 has RDRAND/RDSEED.<br>
</p>
<p>There are some religious arguments about booby-trapped hardware
sources - <br>
these days, kernels will mix all sources, so I don't get too
upset. But YMMV.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<div class="moz-cite-prefix">On 02-Apr-20 11:58, Warren Kumari
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:%3CCAHw9_iLpwGN-NTcs2sHua18sCsABjxrLzf2F-PQ9YiDHbyR=5Q@mail.gmail.com%3E">
<pre class="moz-quote-pre" wrap="">On Thu, Apr 2, 2020 at 11:14 AM David Alexandre M. de Carvalho
<a class="moz-txt-link-rfc2396E" href="mailto:david@di.ubi.pt"><david@di.ubi.pt></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
Hello, good afternoon.
My first post in this list :)
I'm running BIND Chroot for many years (currently version 9.8.2) on some old hardware running Oracle Linux 6.
I believe it was last year when I was reading about implementing DNSSEC, and I think I've even tried to generate a
keypair in the slowest server, which after more than a day, wasn't ready yet. Maybe I was doing something wrong, I
honestly don't know.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
You almost definitely were -- even a really really slow machine should
be able to generate keys in a small number of seconds -- you didn't
list what commands you used, but I'm going to assume you were trying
to generate an rsa key - you should be able to get a feel for how long
this takes by running:
time openssl genrsa -out private.key 2048
or
time openssl genrsa -out private.key 4096
(note that this is very different to running 'openssl speed rsa2048
rsa4096', which benchmarks RSA operations, not key generations).
I'm fairly sure that your issue was a lack of entropy -- in order to
generate crypograohically good keys, you need good a good source of
randomness. If you are running an older machine and older kernel, the
/dev/random source is blocking, and if you try and read too much from
it it will just hang until it has enough entropy to give "safe"
output. Newer kernels do a better job of mixing in external event
noise, but there are a number of modules which help with this -
haveged being the best known (<a class="moz-txt-link-freetext" href="http://www.issihosts.com/haveged/">http://www.issihosts.com/haveged/</a> ).
You could also test if this is the issue by using /dev/urandom, which
doesn't block, or 'while true; do cat
/proc/sys/kernel/random/entropy_avail; sleep 2; done' and see if the
available entropy drops to zero during key generation...
W
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">So now I had some time and reading about this again.
If I query either of my servers about my domain:
dig @dns di.ubi.pt DNSKEY
I do get the DNSKEY, but I have no records when querying about +dnssec. My topdomain (ubi.pt) doesn't have DNSSEC yet
either.
my named.conf already has the following:
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
Outside the configuration file I also have a /etc/named.root.key
My questions:
1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it worth it?
2) I have one global "hosts" file and 3 reverse zone files, each for the respective IP network. Can I use the same
Keypair in all of them?
3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already being used? I compared them to the result
of the DNSKEY dig query but they are different.
Thank you so much for your time!
Best regards
Os melhores cumprimentos
David Alexandre M. de Carvalho
---------------------------------------
Especialista de Informática
Departamento de Informática
Universidade da Beira Interior
_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
</pre>
</blockquote>
</body>
</html>