-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For you Scandinavians; no, it's not an animal for mowing your lawn.
Does anyone have experiences using haveged for PRNG? When generating DNSSEC keys on a virtual server is takes a looong time to get randomness. I found an article [1] about haveged and decided to try it out - there are also some tests at the end of the article. Basically haveged fills the entropy pool by running different programs and seeing how long it takes to run them, claiming that's random enough. # "flush" out /dev/random robert@lux:~/projects/dns/keys$ time dd < /dev/random > /dev/null ^C 0+98029 records in 24507+0 records out 12547584 bytes (13 MB) copied, 4,7777 s, 2,6 MB/s real 0m4.780s user 0m0.044s sys 0m3.424s # create 4K KSK robert@lux:~/projects/dns/keys$ time /usr/sbin/dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com Generating key pair........................................................................................................................................................................................................................................................................................................................................................................................................++ ................................++ Kexample.com.+007+64218 real 0m3.922s user 0m3.776s sys 0m0.096s 4 seconds for a 4K key is very impressive performance for a virtual server. One thing that makes me wonder though is, when I do "cat < /dev/random > /dev/null" I see cat taking 73% CPU and haveged 26%. I would at least have expected haveged to use the same CPU as cat. [1] https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged - -- Robert Martin-Legene Internet Infrastructure Specialist Packet Clearing House -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU+3JjAAoJEM82zYyXDYSwuGsP/0REVRrSZbXQ3i5H4T8eLGvn fmhILq2uaFUm1CaWjxSPVeFK/RHtl6s9A43RwJa718F1CCi3nUtlEmHCSi5MomHe oZQEbx4qnyYCv9895Uh0OJsrAddcTP4GOS1n60Zto1LNpePBY3V3K48d1nCAvMC7 y04jNouKW1rz3B/tU6iYqgZGRT/8zdn0tT2ujG65oVTz0nBN6suc5jjZTGR5rtgR CUBgQ5DaLQUZmAKwuuPklXW1m6/468x/JYGhQ1HFIDQ98arN0z5XPHGcC1mELJcr SeLgT5uCekGNnVx+BoxMghw36Nesk2z3fuwQjxhWV08jZx04bRShR4uTuiLOeTq0 Z84/AlOe98Vj52TgaqTqoys4+77MZ7WakIfC7Ih+BMwHRddMRolQGsBhGe0/E3Dt hBP4tWSMIAfClZhobO2Noj2KWBdQexmuHYZi57Gremz4ZjJEaEaEtzf+L7SfulTr cFzC8uTv97RNJIj6MnUNnNHiPhCcB9zOVqh6izeVXFSfOKU5rnXX4+3eYv+jtxz6 PswTEgWZms1u9p5AI3CxuX9F9ED49U9LVb/+pkXaYw7XMzhuVAK8FFNtcDIcvRsQ UcSurB/0blit4VUxz3jY6Xw6+JBVz2AxnyADrSv6R0elvtT35HQE7yN/rtc9DLPt tI3PELxAVMNxOtESDmsw =wLfd -----END PGP SIGNATURE-----
