Re: [opensuse] dnssec-keygen problem in opensuse 11.2, including the genDDNSkey script



On 2010-02-04 13:19, Marcus Meissner wrote:

On Thu, Feb 04, 2010 at 11:45:01AM +0100, Dan Kopparhed wrote:

On 2010-02-04 11:10, Marcus Meissner wrote:

On Thu, Feb 04, 2010 at 10:53:20AM +0100, Dan Kopparhed wrote:

Hi, I ran into a problem that I suspect may be a bug in dnssec-keygen.
Can someone confirm this?

I was trying to generate keys with the genDDNSkey script, but the script
just freezes. So I had a look at the script and discovered that the
problem occurs when calling dnssec-keygen. It sleeps, seemingly stuck
waiting 4-ever (well, I honestly only tried for a few minutes).
Actually, when trying this over and over again, it succeeded once out of
something like 15+ attempts. I changed nothing between trials.

In opensuse 11.1, latest bind update, running this command immediately
generates private and public keys Ktest.*
/usr/sbin/dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/random -n USER test

In opensuse 11.2, fully patched, the same command just falls asleep
until killed.


The sleep might be due to reads from /dev/random, which blocks until enough
randomness is there.

filedescriptor 3 is /dev/random, so you dont have sufficient entropy
currently in it (and its waiting until you have).

either wait a while and/or pound on the keyboard ... or you could fallback
to /dev/urandom


Thanks for helping out, Marcus!

This "error" was somewhat confusing at first (since there are no messages, just silence). So, in case someone else encounters this issue in the future, I'll elaborate on the explanation a little. First, the difference between /dev/random and /dev/urandom:

/dev/random returns high quality noise generated from sources such as "human" input devices like mice and keyboard, etc. It is possible to increase the rate of entropy gathered by e.g. banging the keyboard (if connected to the computer, i.e. not by SSH it seems). /dev/random will block until enough entropy is gathered.

/dev/urandom generates as much noise as requested, but with lower quality randomness (pseudo random algorithms). Using /dev/urandom for generating encryption keys makes it theoretically "easy" to find a way to crack the encryption.

The genDDNSkey script is using /dev/random by default. Thus, on a server without any human devices connected, as in my case, the available entropy may be too low, causing the script (or rather dnssec-keygen) to apparently freeze.

You can see how much entropy is available for /dev/random by reading this:
/proc/sys/kernel/random/entropy_avail

I hope this is helpful for someone.
/Dan

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx



Relevant Pages