On Thu, 12 Jul 2018 at 22:44, D. Hugh Redelmeier <[email protected]> wrote: > > My run of the test suite is making glacial progress. > > It has been stuck for seven hours in dnssec-keygen on the host > computer: > > \_ make kvm-check > \_ /bin/sh ./testing/baseconfigs/all/etc/bind/generate-dnssec.sh > \_ dnssec-keygen -K keys -b 2048 -f KSK -a RSASHA256 -n ZONE > 2.1.192.in-addr.arpa
I think this should run on the test domains. Again get us away from a host dependency. > When I apply gdb to dnssec-keygen, it is sitting there waiting for entropy. > > The dnssec-keygen manual says that it uses /dev/random by default. > gdb shows this to be the case. > > I thought: no problem, I've got a 4th gen Intel processor and "rdrand" > shows up in /proc/cpuinfo. But I see hints that the kernel XORs this > source with the random number pool and thus does not actually increase > the amount of entropy estimated to be available. Whatever the > explanation, there is a severe entropy shortage on my host. > > random(4) says, more or less, that /dev/random should not be used and > /dev/urandom should be used in its place. There are certain cases > where getrandom(2) is more suitable. > > So: at least for testing, I think that we should change > testing/baseconfigs/all/etc/bind/generate-dnssec.sh > to invoke dnssec-keygen with -r /dev/urandom > This occurs twice. > > The same applies to the dnssec-signzone, which appears once, in the > same file. > > I'm testing this now. > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
