RE: Question about message your system is lacking dev/random (or equivalent)
I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and /dev/urandom. # odmget CuDvDr | grep -p random CuDvDr: resource = ddins value1 = random value2 = 34 value3 = crw-r--r--1 root system 34, 0 Feb 26 2009 random crw-r--r--1 root system 34, 1 Feb 26 2009 urandom I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of DNS servers are running with no problem. The other 2 show error in the dnssec log: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Linh Khuu -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, April 13, 2010 3:43 PM To: Khuu, Linh MicroTech Cc: 'bind-users@lists.isc.org' Subject: Re: Question about message your system is lacking dev/random (or equivalent) On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Did you build BIND yourself? When BIND starts does it log anything like: --with-randomdev=something? What operating system, etc? You haven't really provided very much useful information in your question... DNSSEC needs entropy for signing -- it believes that your system does not provide a useful source of entropy (do you have a /dev/random?) and so it want you to add some. This is not a BIND problem, it is an OS (or more likely configuration issue). W Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen PGP.sig Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about message your system is lacking dev/random (or equivalent)
I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov PGP.sig Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about dig command
Thanks Stephane!!! Adding ::1 in the ACL did the trick. Linh Khuu -Original Message- From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] Sent: Thursday, February 25, 2010 11:09 AM To: Khuu, Linh MicroTech Cc: 'bind-users@lists.isc.org' Subject: Re: Question about dig command On Thu, Feb 25, 2010 at 10:58:49AM -0500, Khuu, Linh MicroTech linh.k...@ssa.gov wrote a message of 54 lines which said: client ::1#33086: query (cache) 'dnssec12.datamtn.com//IN' denied Then I switched to use the ???dig??? command from 9.4.1-P1 to query the same record, I got result nicely. Possible reason: the recent dig can use IPv6 *transport* (talking to the server with IPv6, not just asking IPv6 *data*). But may be ::1 (localhost in IPv6) is not authorized by your name server. Check the ACL, try dig with -4 (or @127.0.0.1), etc. PGP.sig Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about dig command
Hi, I have question about “dig” command in IPV6. I have bind-9.6.1-P3 compiled with ipv6 enable. So far it’s running great. But when I use the “dig” command from 9.6.1-P3, I get the following error when query record: client ::1#33086: query (cache) 'dnssec12.datamtn.com//IN' denied Then I switched to use the “dig” command from 9.4.1-P1 to query the same record, I got result nicely. Why dig command from 9.6.1-P3 got denied when querying records??? Linh Khuu PGP.sig Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC NS record delegation
Hi, I have question about the DNSSEC NS record. We have the parent zone, for example, example.net being signed with DNSSEC. We have a child zone test.example.net delegating to glbl.example.net as NS record. glbl.example.net is not a DNSSEC. Will nslookup for anything in test.example.net fail? Linh Khuu PGP.sig Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users