RE: Question about message your system is lacking dev/random (or equivalent)
I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and /dev/urandom. # odmget CuDvDr | grep -p random CuDvDr: resource = ddins value1 = random value2 = 34 value3 = crw-r--r--1 root system 34, 0 Feb 26 2009 random crw-r--r--1 root system 34, 1 Feb 26 2009 urandom I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of DNS servers are running with no problem. The other 2 show error in the dnssec log: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Linh Khuu -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, April 13, 2010 3:43 PM To: Khuu, Linh MicroTech Cc: 'bind-users@lists.isc.org' Subject: Re: Question about message your system is lacking dev/random (or equivalent) On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Did you build BIND yourself? When BIND starts does it log anything like: --with-randomdev=something? What operating system, etc? You haven't really provided very much useful information in your question... DNSSEC needs entropy for signing -- it believes that your system does not provide a useful source of entropy (do you have a /dev/random?) and so it want you to add some. This is not a BIND problem, it is an OS (or more likely configuration issue). W Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen PGP.sig Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about message your system is lacking dev/random (or equivalent)
A few things to try: 1: Make sure that /dev/urandom is actually doing something: dd if=/dev/urandom bs=1k count=1 | strings 2: You might want to try the same thing on /dev/random, but you will (probably) get way way less output -- you might want to look into seeing if your machines has a hardware entropy source and can / does expose it somewhere -- you can also investigate adding a hardware random source. From a quick look online, AIX is much more restrictive about its entropy sources, but you should be able to run a daemon that adds entropy. You should also see where BIIND believes it should suck randomness from -- it will log this when it starts, mine looks like: Mar 21 17:43:09 lisa named[27159]: starting BIND 9.7.0-P1 -u bind -t / chroot/named -c /etc/bind/named.conf Mar 21 17:43:09 lisa named[27159]: built with '--with-openssl=yes' '-- with-randomdev=/dev/urandom' Mar 21 17:43:09 lisa named[27159]: using up to 4096 sockets W On Apr 19, 2010, at 5:59 AM, Khuu, Linh MicroTech wrote: I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and / dev/urandom. # odmget CuDvDr | grep -p random CuDvDr: resource = ddins value1 = random value2 = 34 value3 = crw-r--r--1 root system 34, 0 Feb 26 2009 random crw-r--r--1 root system 34, 1 Feb 26 2009 urandom I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of DNS servers are running with no problem. The other 2 show error in the dnssec log: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Linh Khuu -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, April 13, 2010 3:43 PM To: Khuu, Linh MicroTech Cc: 'bind-users@lists.isc.org' Subject: Re: Question about message your system is lacking dev/ random (or equivalent) On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Did you build BIND yourself? When BIND starts does it log anything like: --with-randomdev=something? What operating system, etc? You haven't really provided very much useful information in your question... DNSSEC needs entropy for signing -- it believes that your system does not provide a useful source of entropy (do you have a /dev/random?) and so it want you to add some. This is not a BIND problem, it is an OS (or more likely configuration issue). W Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen -- Beware that the most effective way for someone to decrypt your data may be with rubber hose. --- SSH 1.2.12 README ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about message your system is lacking dev/random (or equivalent)
This is the warning message named emits when it can't find /dev/random. 20-Apr-2010 02:46:35.879 could not open entropy source /dev/random: file not found The message, in question, is NOT emitted by named if it has been correctly linked. I suspect that the wrong shared library is being found. Named only needs /dev/random to generate new signature when DSA or NSEC3DSA is being used to sign dynamic zones. Named does NOT need /dev/random to validate responses. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about message your system is lacking dev/random (or equivalent)
In message 0808710b26e7e541ad135be9553cfb6896c1b3a...@hq-ec-02.ba.ad.ssa.gov, Khuu, Linh MicroTech writes: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i4= 8du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=3D47948): You mus= t use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) This is like the linker stuffed up. You must ... (or equivalent) is not the textual description of a result code. It is a message that can be emitted by the command line tools used to generate keys. Named doesn't call this bit of code. If you are using shared libraries I would be checking that named is finding the right version of the shared library. 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DN= SKEY: verify rdataset (keyid=3D10539): You must use the keyboard to create = entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov = SOA: verify rdataset (keyid=3D43133): You must use the keyboard to create e= ntropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov =20 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about message your system is lacking dev/random (or equivalent)
I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov PGP.sig Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about message your system is lacking dev/random (or equivalent)
On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Did you build BIND yourself? When BIND starts does it log anything like: --with-randomdev=something? What operating system, etc? You haven't really provided very much useful information in your question... DNSSEC needs entropy for signing -- it believes that your system does not provide a useful source of entropy (do you have a /dev/random?) and so it want you to add some. This is not a BIND problem, it is an OS (or more likely configuration issue). W Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about message your system is lacking dev/random (or equivalent)
Perhaps you have configured it to run in a chroot jail and have not fully outfitted the chroot with /dev/random this is old, but looks to be accurate, at least when talking about the /dev/random file on linux. You didn't even specify what OS you are running on: http://tldp.org/HOWTO/Chroot-BIND-HOWTO-2.html -Original Message- From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Warren Kumari Sent: Tuesday, April 13, 2010 12:43 PM To: Khuu, Linh MicroTech Cc: 'bind-users@lists.isc.org' Subject: Re: Question about message your system is lacking dev/random (or equivalent) On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Did you build BIND yourself? When BIND starts does it log anything like: --with-randomdev=something? What operating system, etc? You haven't really provided very much useful information in your question... DNSSEC needs entropy for signing -- it believes that your system does not provide a useful source of entropy (do you have a /dev/random?) and so it want you to add some. This is not a BIND problem, it is an OS (or more likely configuration issue). W Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users