RE: /dev/random in chroot jail causing errors with nsupdate of dnssec signed zone

[Jack Tavares]

One other thing:
when I remove /dev/random from the chroot, bind just uses the
pre-chroot /dev/random
14-May-2009 14:09:51.065 could not open entropy source /dev/random: file not 
found
14-May-2009 14:09:51.065 using pre-chroot entropy source /dev/random
which is groovy.
So I guess I dont need the chroot random, but I would still like
to know why using the chrooted /dev/random causes this problem.

--
Jack Tavares
AIM: jacktavares
SKYPE: jackandkaddee
Reminder: I am at GMT+2, 10 hours AHEAD of Seattle.
My workweek is Sunday-Thursday.
Email sent to me Thursday afternoon (PST) may not be viewed until Sunday 
morning (GMT+2).



From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On 
Behalf Of Jack Tavares [j.tava...@f5.com]
Sent: Thursday, May 14, 2009 09:50
To: bind-users@lists.isc.org
Subject: /dev/random in chroot jail causing errors with nsupdate of dnssec 
signed zone

So I posted a couple of message about how my nsupdates
were failing intermittenly when attempting to update a signed zone.

The only error I get in the log is:
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 
'test.net/IN': prerequisites are OK
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: signer 
update.test.net approved
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: update 
'test.net/IN' approved
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 
'test.net/IN': update section prescan OK
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 
'test.net/IN': adding an RR at 'newest4.test.net' A
14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 
'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 
'test.net/IN': rolling back
The keys are generated with RSASHA1 and use -r /dev/urandom

I run named in chroot jail, at /var/named
I created /var/named/dev/random with

mknod -m644 /var/named/dev/random c 1 8

which mimics the major and minor number from the system
ls -lL /dev/random

crw-r--r--1 root root   1,   8 May 13 03:27 /dev/random
The nsupdates fail, seemingly randomly.

When I delete this /dev/random from the chroot, they work.

So my question is:
am I setting up the /dev/random incorrectly?
should I not be creating /dev/random? (the how-tos I have seen all talk about
re-creating /dev/null and /dev/random etc)

Note:
I also tried generating the keys not using /dev/urandom, and have the same
inconsistent behavior with the chroot /dev/random present.



--
Jack Tavares



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: /dev/random in chroot jail causing errors with nsupdate of dnssec signed zone

[Mark Andrews]

In message 4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com
, Jack Tavares writes:
 One other thing:
 when I remove /dev/random from the chroot, bind just uses the
 pre-chroot /dev/random
 14-May-2009 14:09:51.065 could not open entropy source /dev/random: file no=
 t found
 14-May-2009 14:09:51.065 using pre-chroot entropy source /dev/random
 which is groovy.
 So I guess I dont need the chroot random, but I would still like
 to know why using the chrooted /dev/random causes this problem.

Some versions of OpenSSL do unconditional RSA blinding and
this uses /dev/random.  RSA blinding is needed when you are
establishing a encrypted connection such as with SSL.  It
is not needed when generating RRSIG's and we disable it
when we can.

I suspect that /dev/random is not returning enough random
data and that the RSA blinding operation is failing as a
result.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users