bert hubert wrote: > > Perhaps a question for everybody.. How do make yure you have enough > > *good* random for (frequent) key generation for (many) different > > zones? > > I've heard good things about http://www.entropykey.co.uk/ . > This is a sort of halfway solution - I'd not suggest just using > /dev/urandom afterwards for state secrets ;-) but it looks pretty good. > > I just ordered one to find out.
Looks interesting indeed; but one should care to use a case-internal non-hotplug-accessible USB-port for it; otherwise it would be a perfect hardware-DOS on the nameserver.. > > Same KSK/ZSK for all deployed zones to reduce the amount of > > random cyclically needed? Write a script to query random.org? > > Invest $BIGBUCKS to purchase expensive TRNG-Hardware? > > Use /dev/urandom instead? o.O > > There are other solutions too - you could for example create a > large random stream based on a single piece of high quality random. > For example, take 256 bits of high quality random and encrypt several > gigabytes of /dev/urandom with it. Take care never to store the 256 > bits and you should be good to go. Memories, please come back..! xD I had a discussion on this topic some time ago (this question keeps turning my mind) with a friend of mine; he's just working on his PhD on a random-heavy subject, and we spent quite a time discussing (or me listening to him^^) how or how not to improve the quality of given random; but the bottom-line slipped my mind -.- And I completely forgot to elaborate on the possibilities that came to my mind for this..^^ One good thing was the Intel 80802 firmware hub; part of the 840-series Intel PIII-chipset, which included a TRNG using thermal noise. Sadly; this wasn't continued in later models. A DIY-Idea was integrating a sound card into the server and connect a mistuned radio to the audio-in to use this static noise for random. The idea currently in evaluation is using smaller players for server-hardware: Since 2003, VIA develops the PadLock security engine, which includes an on-chip-TRNG in the processor-die which generates thermal noise based random at quite a high rate. And this is included in almost any given VIA-CPU since then. So, next to all the AMD and Intel-driven HP, Dell, IBM and other bolides in the server-room, soon there might one or two noname VIA-powered machines ;) The linux-kernel already supports this TRNG; you only need to load the via_rng-module. The only drawback: This module doesn't fill /dev/random but uses /dev/hwrandom; that's why I asked for changing pdns' source of random. Sebastian -- baboo _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
