On Fri, Jul 20, 2018 at 05:20:32AM +0100, Ken Moffat wrote:
> On Fri, Jul 20, 2018 at 12:37:46AM +0100, Ken Moffat wrote:
> >
> > I now contend that generating a random number to use when validating
> > DNS responses does not require high-quality randomness, and as
> > evidence I refer to the code I posted (taken originally from Open
> > BSD, according to its documentation, so I will describe it as
> > "paranoid by preference"). It tries to read /dev/random, and only
> > falls back to /dev/urandom if the read failed. But the correct
> > behaviour of /dev/random *on linux* is to hang forever until the
> > kernel determines it can provide the requested entropy.
> >
> I'm going to investigate this. Starting from a faint hope that I
> might get somewhere, I've raised #10964.
>
After raising this on lkml, I've been assured that /dev/urandom is
still non-blocking and the applications (chronyd is also affected if
I start that before unbound) must be calling getrandom.
Also, after a sufficient length of time with haveged running, the
system should be adequate for generating long-lived keys. So I'll
have to live with haveged.
ĸen
--
Entropy not found, thump keyboard to continue
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
