Re: Slow zone signing with ECDSA

On Thu, Apr 20, 2017 at 04:03:21PM +0100, Chris Thompson wrote: > On Apr 20 2017, Tony Finch wrote: > > > Mark Andrews wrote: > > > > > > DSA requires random values as part of the signing process. > > > > Traditionally, yes, but it isn't actually required - > > https://tools.ietf.org/html/rfc69

Re: Slow zone signing with ECDSA

On Apr 20 2017, Tony Finch wrote: Mark Andrews wrote: DSA requires random values as part of the signing process. Traditionally, yes, but it isn't actually required - https://tools.ietf.org/html/rfc6979 There is a great deal to be said for using deterministic DSA even if your random number

Re: RDRAND, etc [ wasRe: Slow zone signing with ECDSA

TL;DR Sent from Nine From: Timothe Litt Sent: Apr 20, 2017 7:34 AM To: bind-users@lists.isc.org Subject: Re: RDRAND, etc [ wasRe: Slow zone signing with ECDSA On 20-Apr-17 01:26, Paul Kosinski wrote: "The tinfoil hat brigade in some distributions has resisted using t

Re: RDRAND, etc [ wasRe: Slow zone signing with ECDSA

On 20-Apr-17 01:26, Paul Kosinski wrote: > "The tinfoil hat brigade in some distributions has resisted using them, > fearing some conspiracy to provide not-so-random numbers." > > I think the NSA *did*, in fact, compromise the "Dual Elliptic Curve > Deterministic Random Bit Generator" and paid RSA

Re: INSIST error from BIND 9.9.9-P6

In message <20170420.140824.1617725721724411930...@uninett.no>, Havard Eidnes writes: > > Upgrade. > > :) So 9.9.10 should have a fix for this? As did 9.9.9-P8 last week. > (Its release had passed under my radar.) > > Regards, > > - H=E5vard -- Mark Andrews, ISC 1 Seymour St., Dundas Vall

Re: INSIST error from BIND 9.9.9-P6

> Upgrade. :) So 9.9.10 should have a fix for this? (Its release had passed under my radar.) Regards, - Håvard ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists

Re: INSIST error from BIND 9.9.9-P6

Upgrade. In message <20170420.135455.1218746118721348152...@uninett.no>, Havard Eidnes writes: > Hi, > > one of our recursive resolvers running BIND 9.9.9-P6 stopped last > night, in the log I find: > > Apr 19 22:26:30 named[14737]: resolver.c:4751: INSIST(fctx->type =3D= > =3D ((dns_rdat

INSIST error from BIND 9.9.9-P6

Hi, one of our recursive resolvers running BIND 9.9.9-P6 stopped last night, in the log I find: Apr 19 22:26:30 named[14737]: resolver.c:4751: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype

Re: Slow zone signing with ECDSA

>> DSA requires random values as part of the signing process. > > Traditionally, yes, but it isn't actually required - > https://tools.ietf.org/html/rfc6979 This is only implemented in openssl 1.1.0: https://github.com/openssl/openssl/commit/190c615d4398cc6c8b61eb7881d7409314529a75 As I've read

Re: Slow zone signing with ECDSA

Mark Andrews wrote: > > DSA requires random values as part of the signing process. Traditionally, yes, but it isn't actually required - https://tools.ietf.org/html/rfc6979 (PuTTY has been using deterministic DSA since 2001, because of problems with obtaining random numbers on old versions of Win