Re: dnssec-keygen is waiting endless...
On Fri, 28 May 2010, Michelle Konzack wrote: Hello *; I am retrying to setup DNSSEC but I have a problem with: dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net because if I issue the command, it waits forever and nothing happen. What can this be? Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 My bet is that this is a VM and you have no entropy. Either generate some entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga) or create the keys on real iron instead of a VM. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dnssec-keygen is waiting endless...
Or it is a chroot jail and it does not have a source of entropy -Original Message- From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Paul Wouters Sent: Friday, May 28, 2010 9:34 AM To: Michelle Konzack Cc: Bind Users Subject: Re: dnssec-keygen is waiting endless... On Fri, 28 May 2010, Michelle Konzack wrote: Hello *; I am retrying to setup DNSSEC but I have a problem with: dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net because if I issue the command, it waits forever and nothing happen. What can this be? Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 My bet is that this is a VM and you have no entropy. Either generate some entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga) or create the keys on real iron instead of a VM. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Hello Paul, Am 2010-05-28 12:34:16, hacktest Du folgendes herunter: My bet is that this is a VM and you have no entropy. Either generate some entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga) or create the keys on real iron instead of a VM. No, this a real machine:AMD Sempron 2200+ (Socket A) with 3 GByte of memory and only standard Debian in stallation. The thing with the find does not work... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
On Fri, May 28, 2010 at 10:41 AM, Michelle Konzack linux4miche...@tamay-dogan.net wrote: Hello Paul, Am 2010-05-28 12:34:16, hacktest Du folgendes herunter: My bet is that this is a VM and you have no entropy. Either generate some entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga) or create the keys on real iron instead of a VM. No, this a real machine:AMD Sempron 2200+ (Socket A) with 3 GByte of memory and only standard Debian in stallation. The thing with the find does not work... Running 'cat /proc/sys/kernel/random/entropy_avail' should show you what your available entropy is during the keygen process. There are a variety of things you can do to increase the size of the entropy pool, but if you're willing to accept less entropy at this point to get things going, pass '-r /dev/urandom' to dnssec-keygen (see 'man urandom'). Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Hi again, Am 2010-05-28 10:36:51, hacktest Du folgendes herunter: Or it is a chroot jail and it does not have a source of entropy AFAIK does a chroot give a fals impression bind could be more secure... Currently I need to secure my bind9 since I had a massive attack on my dns1 which is the master. Also I have had more then 30 million queries in less then one week and bind9 has eaten arround 2.4 GByte of memory... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dnssec-keygen is waiting endless...
Disregard my statement. An incorrect chroot setup will affect the named executable, but not the dnssec-keygen -Original Message- From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Michelle Konzack Sent: Friday, May 28, 2010 11:22 AM To: bind-users@lists.isc.org Subject: Re: dnssec-keygen is waiting endless... Hello Jack, Am 2010-05-28 10:36:51, hacktest Du folgendes herunter: Or it is a chroot jail and it does not have a source of entropy Ehm no... seufz Where must this entrophy be? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 I get the same problem on Ubuntu, which is Debian-based. /dev/random runs out of entropy rapidly and takes a long time to recover. Using dnssec-keygen -r /dev/urandom will make it finish much faster, but that uses a pseudo-random number generator instead of true randomness, so it's not the best choice from the paranoid crypto viewpoint. I often use it for test zones and such. If I needed a proper bulletproof key on an Ubuntu box, and I didn't want to wait a long time for it, I'd probably generate the key on some other system and copy it over. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Hello Casey, Am 2010-05-28 11:15:30, hacktest Du folgendes herunter: Running 'cat /proc/sys/kernel/random/entropy_avail' should show you what your available entropy is during the keygen process. It show me a number between 0 and several 100 There are a variety of things you can do to increase the size of the entropy pool, but if you're willing to accept less entropy at this point to get things going, pass '-r /dev/urandom' to dnssec-keygen (see 'man urandom'). This is working for now... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
On Fri, May 28, 2010 at 11:25 AM, Michelle Konzack linux4miche...@tamay-dogan.net wrote: Currently I need to secure my bind9 since I had a massive attack on my dns1 which is the master. Also I have had more then 30 million queries in less then one week and bind9 has eaten arround 2.4 GByte of memory... DNSSEC is for securing your namespace, not your server. With DNSSEC a validating resolver can prove the authenticity of an answer it receives, but that won't help with attacks targeting your name server. If you're looking to secure your server, you'll need to take other security measures with regards to server/firewall configuration. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Hello Evan, Am 2010-05-28 18:33:14, hacktest Du folgendes herunter: Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 I get the same problem on Ubuntu, which is Debian-based. /dev/random runs out of entropy rapidly and takes a long time to recover. I have tries it on Debian Etch, Lenny and Sid with the same result... On all three machines I have touse -r /dev/urandom which is realy weird. Using dnssec-keygen -r /dev/urandom will make it finish much faster, but that uses a pseudo-random number generator instead of true randomness, so it's not the best choice from the paranoid crypto viewpoint. I often use it for test zones and such. If I needed a proper bulletproof key on an Ubuntu box, and I didn't want to wait a long time for it, I'd probably generate the key on some other system and copy it over. :-) I have 38.000 Zones and on my AMD Sempron 2200+ with 3 GByte of memory it take arround 40 Second to create ONE signed zone fro a script. This mean, if I want to sign 38.000 zones it will run 18 days... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
On 05/28/10 13:53, Michelle Konzack wrote: Hello Evan, Am 2010-05-28 18:33:14, hacktest Du folgendes herunter: Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 I get the same problem on Ubuntu, which is Debian-based. /dev/random runs out of entropy rapidly and takes a long time to recover. I have tries it on Debian Etch, Lenny and Sid with the same result... On all three machines I have touse -r /dev/urandom which is realy weird. ... :-) I have 38.000 Zones and on my AMD Sempron 2200+ with 3 GByte of memory it take arround 40 Second to create ONE signed zone fro a script. This mean, if I want to sign 38.000 zones it will run 18 days... If you're planning to do production DNSSEC on Linux you really need to configure an entropy gathering daemon in order to properly seed your /dev/random device. You should be able to find resources for doing this on line, or in a help forum for your particular brand(s) of Linux. You might also consider evaluating FreeBSD for your name servers, it comes with properly configured entropy gathering right out of the box, and our implementation of /dev/random uses a PRNG method that hands out high-quality random bits with very little danger of running out. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users