Re: DNSSEC - many doubts
Am 03.04.20 um 10:51 schrieb Timothe Litt: > The entropy problem is especially severe in many VMs. Besides Warren's > suggestion: > > Many current machines have hardware random noise sources that solve (or > at least > put a big dent) into the entropy problem. A raspberry Pi is > inexpensive, and unless you > are generating zillions of keys, will solve most of these issues. I use > entropy broker > https://www.vanheusden.com/entropybroker/ to distribute entropy from a Pi to > my network. (And you can always add another RPi.) I don't recall the > last time > I ran out of entropy - and no, I'm not talking about the "organization" > of my physical > desktop :-) https://wiki.archlinux.org/index.php/Haveged and for the doubts: keep in mind the kernel is mixing all entropy sources and even don't get compromised if one of them only returns 1 all the time ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC - many doubts
The entropy problem is especially severe in many VMs. Besides Warren's suggestion: Many current machines have hardware random noise sources that solve (or at least put a big dent) into the entropy problem. A raspberry Pi is inexpensive, and unless you are generating zillions of keys, will solve most of these issues. I use entropy broker https://www.vanheusden.com/entropybroker/ to distribute entropy from a Pi to my network. (And you can always add another RPi.) I don't recall the last time I ran out of entropy - and no, I'm not talking about the "organization" of my physical desktop :-) For a while, there USB keys with entropy sources were a good choice - but with hardware sources built into most CPUs, I think their time has passed. The same low-power RPi that feeds entropy is also a great NTP server, VPN gateway and a few other things - for ~USD 40. Or any Intel or AMD cpu since ~2015 has RDRAND/RDSEED. There are some religious arguments about booby-trapped hardware sources - these days, kernels will mix all sources, so I don't get too upset. But YMMV. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 02-Apr-20 11:58, Warren Kumari wrote: > On Thu, Apr 2, 2020 at 11:14 AM David Alexandre M. de Carvalho > wrote: >> Hello, good afternoon. >> My first post in this list :) >> >> I'm running BIND Chroot for many years (currently version 9.8.2) on some old >> hardware running Oracle Linux 6. >> I believe it was last year when I was reading about implementing DNSSEC, and >> I think I've even tried to generate a >> keypair in the slowest server, which after more than a day, wasn't ready >> yet. Maybe I was doing something wrong, I >> honestly don't know. > You almost definitely were -- even a really really slow machine should > be able to generate keys in a small number of seconds -- you didn't > list what commands you used, but I'm going to assume you were trying > to generate an rsa key - you should be able to get a feel for how long > this takes by running: > time openssl genrsa -out private.key 2048 > or > time openssl genrsa -out private.key 4096 > (note that this is very different to running 'openssl speed rsa2048 > rsa4096', which benchmarks RSA operations, not key generations). > > I'm fairly sure that your issue was a lack of entropy -- in order to > generate crypograohically good keys, you need good a good source of > randomness. If you are running an older machine and older kernel, the > /dev/random source is blocking, and if you try and read too much from > it it will just hang until it has enough entropy to give "safe" > output. Newer kernels do a better job of mixing in external event > noise, but there are a number of modules which help with this - > haveged being the best known (http://www.issihosts.com/haveged/ ). > You could also test if this is the issue by using /dev/urandom, which > doesn't block, or 'while true; do cat > /proc/sys/kernel/random/entropy_avail; sleep 2; done' and see if the > available entropy drops to zero during key generation... > > W > >> So now I had some time and reading about this again. >> >> If I query either of my servers about my domain: >> dig @dns di.ubi.pt DNSKEY >> I do get the DNSKEY, but I have no records when querying about +dnssec. My >> topdomain (ubi.pt) doesn't have DNSSEC yet >> either. >> >> my named.conf already has the following: >> >> dnssec-enable yes; >> dnssec-validation auto; >> dnssec-lookaside auto; >> bindkeys-file "/etc/named.iscdlv.key"; >> managed-keys-directory "/var/named/dynamic"; >> >> Outside the configuration file I also have a /etc/named.root.key >> >> My questions: >> 1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it >> worth it? >> 2) I have one global "hosts" file and 3 reverse zone files, each for the >> respective IP network. Can I use the same >> Keypair in all of them? >> 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already >> being used? I compared them to the result >> of the DNSKEY dig query but they are different. >> >> Thank you so much for your time! >> Best regards >> >> Os melhores cumprimentos >> David Alexandre M. de Carvalho >> --- >> Especialista de Informática >> Departamento de Informática >> Universidade da Beira Interior >> >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. >
Re: DNSSEC - many doubts
David Alexandre M. de Carvalho wrote: > A few hints and tips... > my named.conf already has the following: > > dnssec-enable yes; You don't need this because it's on by default :-) > dnssec-lookaside auto; You want to remove this because the DNSSEC lookaside validation service has been decommissioned. > bindkeys-file "/etc/named.iscdlv.key"; I prefer not to configure this or install the file, instead relying on BIND's compiled-in copy because that means one less thing to maintain. > 2) I have one global "hosts" file and 3 reverse zone files, each for the > respective IP network. Can I use the same Keypair in all of them? Each zone should have its own zsk and ksk (two K*.key and K*.private files for each zone). Tony. -- f.anthony.n.finchhttp://dotat.at/ Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North Channel: Northwesterly 4 to 6 backing westerly 3 to 5, then southwesterly 2 to 4 later. Smooth or slight in far north, but elsewhere slight or moderate. Showers, wintry at first. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC - many doubts
> On 2 Apr 2020, at 17:58, Warren Kumari wrote: > > If you are running an older machine and older kernel, the > /dev/random source is blocking Then just use /dev/urandom, both random and urandom are CSPRNG. Ondrej -- Ondřej Surý ond...@isc.org signature.asc Description: Message signed with OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC - many doubts
On Thu, Apr 2, 2020 at 11:14 AM David Alexandre M. de Carvalho wrote: > > Hello, good afternoon. > My first post in this list :) > > I'm running BIND Chroot for many years (currently version 9.8.2) on some old > hardware running Oracle Linux 6. > I believe it was last year when I was reading about implementing DNSSEC, and > I think I've even tried to generate a > keypair in the slowest server, which after more than a day, wasn't ready yet. > Maybe I was doing something wrong, I > honestly don't know. You almost definitely were -- even a really really slow machine should be able to generate keys in a small number of seconds -- you didn't list what commands you used, but I'm going to assume you were trying to generate an rsa key - you should be able to get a feel for how long this takes by running: time openssl genrsa -out private.key 2048 or time openssl genrsa -out private.key 4096 (note that this is very different to running 'openssl speed rsa2048 rsa4096', which benchmarks RSA operations, not key generations). I'm fairly sure that your issue was a lack of entropy -- in order to generate crypograohically good keys, you need good a good source of randomness. If you are running an older machine and older kernel, the /dev/random source is blocking, and if you try and read too much from it it will just hang until it has enough entropy to give "safe" output. Newer kernels do a better job of mixing in external event noise, but there are a number of modules which help with this - haveged being the best known (http://www.issihosts.com/haveged/ ). You could also test if this is the issue by using /dev/urandom, which doesn't block, or 'while true; do cat /proc/sys/kernel/random/entropy_avail; sleep 2; done' and see if the available entropy drops to zero during key generation... W > So now I had some time and reading about this again. > > If I query either of my servers about my domain: > dig @dns di.ubi.pt DNSKEY > I do get the DNSKEY, but I have no records when querying about +dnssec. My > topdomain (ubi.pt) doesn't have DNSSEC yet > either. > > my named.conf already has the following: > > dnssec-enable yes; > dnssec-validation auto; > dnssec-lookaside auto; > bindkeys-file "/etc/named.iscdlv.key"; > managed-keys-directory "/var/named/dynamic"; > > Outside the configuration file I also have a /etc/named.root.key > > My questions: > 1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it worth > it? > 2) I have one global "hosts" file and 3 reverse zone files, each for the > respective IP network. Can I use the same > Keypair in all of them? > 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already > being used? I compared them to the result > of the DNSKEY dig query but they are different. > > Thank you so much for your time! > Best regards > > Os melhores cumprimentos > David Alexandre M. de Carvalho > --- > Especialista de Informática > Departamento de Informática > Universidade da Beira Interior > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC - many doubts
Hello, good afternoon. My first post in this list :) I'm running BIND Chroot for many years (currently version 9.8.2) on some old hardware running Oracle Linux 6. I believe it was last year when I was reading about implementing DNSSEC, and I think I've even tried to generate a keypair in the slowest server, which after more than a day, wasn't ready yet. Maybe I was doing something wrong, I honestly don't know. So now I had some time and reading about this again. If I query either of my servers about my domain: dig @dns di.ubi.pt DNSKEY I do get the DNSKEY, but I have no records when querying about +dnssec. My topdomain (ubi.pt) doesn't have DNSSEC yet either. my named.conf already has the following: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; Outside the configuration file I also have a /etc/named.root.key My questions: 1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it worth it? 2) I have one global "hosts" file and 3 reverse zone files, each for the respective IP network. Can I use the same Keypair in all of them? 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already being used? I compared them to the result of the DNSKEY dig query but they are different. Thank you so much for your time! Best regards Os melhores cumprimentos David Alexandre M. de Carvalho --- Especialista de Informática Departamento de Informática Universidade da Beira Interior ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users