The entropy problem is especially severe in many VMs. Besides Warren's suggestion:
Many current machines have hardware random noise sources that solve (or at least put a big dent) into the entropy problem. A raspberry Pi is inexpensive, and unless you are generating zillions of keys, will solve most of these issues. I use entropy broker https://www.vanheusden.com/entropybroker/ to distribute entropy from a Pi to my network. (And you can always add another RPi.) I don't recall the last time I ran out of entropy - and no, I'm not talking about the "organization" of my physical desktop :-) For a while, there USB keys with entropy sources were a good choice - but with hardware sources built into most CPUs, I think their time has passed. The same low-power RPi that feeds entropy is also a great NTP server, VPN gateway and a few other things - for ~USD 40. Or any Intel or AMD cpu since ~2015 has RDRAND/RDSEED. There are some religious arguments about booby-trapped hardware sources - these days, kernels will mix all sources, so I don't get too upset. But YMMV. Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 02-Apr-20 11:58, Warren Kumari wrote: > On Thu, Apr 2, 2020 at 11:14 AM David Alexandre M. de Carvalho > <da...@di.ubi.pt> wrote: >> Hello, good afternoon. >> My first post in this list :) >> >> I'm running BIND Chroot for many years (currently version 9.8.2) on some old >> hardware running Oracle Linux 6. >> I believe it was last year when I was reading about implementing DNSSEC, and >> I think I've even tried to generate a >> keypair in the slowest server, which after more than a day, wasn't ready >> yet. Maybe I was doing something wrong, I >> honestly don't know. > You almost definitely were -- even a really really slow machine should > be able to generate keys in a small number of seconds -- you didn't > list what commands you used, but I'm going to assume you were trying > to generate an rsa key - you should be able to get a feel for how long > this takes by running: > time openssl genrsa -out private.key 2048 > or > time openssl genrsa -out private.key 4096 > (note that this is very different to running 'openssl speed rsa2048 > rsa4096', which benchmarks RSA operations, not key generations). > > I'm fairly sure that your issue was a lack of entropy -- in order to > generate crypograohically good keys, you need good a good source of > randomness. If you are running an older machine and older kernel, the > /dev/random source is blocking, and if you try and read too much from > it it will just hang until it has enough entropy to give "safe" > output. Newer kernels do a better job of mixing in external event > noise, but there are a number of modules which help with this - > haveged being the best known (http://www.issihosts.com/haveged/ ). > You could also test if this is the issue by using /dev/urandom, which > doesn't block, or 'while true; do cat > /proc/sys/kernel/random/entropy_avail; sleep 2; done' and see if the > available entropy drops to zero during key generation... > > W > >> So now I had some time and reading about this again. >> >> If I query either of my servers about my domain: >> dig @dns di.ubi.pt DNSKEY >> I do get the DNSKEY, but I have no records when querying about +dnssec. My >> topdomain (ubi.pt) doesn't have DNSSEC yet >> either. >> >> my named.conf already has the following: >> >> dnssec-enable yes; >> dnssec-validation auto; >> dnssec-lookaside auto; >> bindkeys-file "/etc/named.iscdlv.key"; >> managed-keys-directory "/var/named/dynamic"; >> >> Outside the configuration file I also have a /etc/named.root.key >> >> My questions: >> 1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it >> worth it? >> 2) I have one global "hosts" file and 3 reverse zone files, each for the >> respective IP network. Can I use the same >> Keypair in all of them? >> 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already >> being used? I compared them to the result >> of the DNSKEY dig query but they are different. >> >> Thank you so much for your time! >> Best regards >> >> Os melhores cumprimentos >> David Alexandre M. de Carvalho >> --------------------------------------- >> Especialista de Informática >> Departamento de Informática >> Universidade da Beira Interior >> >> >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users