Re: [opensuse] dnssec-keygen problem in opensuse 11.2, including the genDDNSkey script



On 2010-02-04 13:19, Marcus Meissner wrote:

On Thu, Feb 04, 2010 at 11:45:01AM +0100, Dan Kopparhed wrote:

On 2010-02-04 11:10, Marcus Meissner wrote:

On Thu, Feb 04, 2010 at 10:53:20AM +0100, Dan Kopparhed wrote:

Hi, I ran into a problem that I suspect may be a bug in dnssec-keygen.
Can someone confirm this?

I was trying to generate keys with the genDDNSkey script, but the script
just freezes. So I had a look at the script and discovered that the
problem occurs when calling dnssec-keygen. It sleeps, seemingly stuck
waiting 4-ever (well, I honestly only tried for a few minutes).
Actually, when trying this over and over again, it succeeded once out of
something like 15+ attempts. I changed nothing between trials.

In opensuse 11.1, latest bind update, running this command immediately
generates private and public keys Ktest.*
/usr/sbin/dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/random -n USER test

In opensuse 11.2, fully patched, the same command just falls asleep
until killed.


The sleep might be due to reads from /dev/random, which blocks until enough
randomness is there.

filedescriptor 3 is /dev/random, so you dont have sufficient entropy
currently in it (and its waiting until you have).

either wait a while and/or pound on the keyboard ... or you could fallback
to /dev/urandom


Thanks for helping out, Marcus!

This "error" was somewhat confusing at first (since there are no messages, just silence). So, in case someone else encounters this issue in the future, I'll elaborate on the explanation a little. First, the difference between /dev/random and /dev/urandom:

/dev/random returns high quality noise generated from sources such as "human" input devices like mice and keyboard, etc. It is possible to increase the rate of entropy gathered by e.g. banging the keyboard (if connected to the computer, i.e. not by SSH it seems). /dev/random will block until enough entropy is gathered.

/dev/urandom generates as much noise as requested, but with lower quality randomness (pseudo random algorithms). Using /dev/urandom for generating encryption keys makes it theoretically "easy" to find a way to crack the encryption.

The genDDNSkey script is using /dev/random by default. Thus, on a server without any human devices connected, as in my case, the available entropy may be too low, causing the script (or rather dnssec-keygen) to apparently freeze.

You can see how much entropy is available for /dev/random by reading this:
/proc/sys/kernel/random/entropy_avail

I hope this is helpful for someone.
/Dan

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx



Relevant Pages

  • Where are the strings in gc.get_objects?
    ... script to show the numbers of each different type of object. ... for key in keys: ... I get similar results on both Python 2.4 and Python 2.5. ... Can anyone explain were the strings are? ...
    (comp.lang.python)
  • RE: Force delete Reg Key
    ... But as a domain administrator shouldn't you have full permissions over ... The following script let the current user take ownership on all ... keys and values to the current user. ... Set oShell = Wscript.CreateObject ...
    (microsoft.public.scripting.vbscript)
  • Re: Where are the strings in gc.get_objects?
    ... The following script dumps all objects allocated since the last time it was ... g.app.idDict is a dict whose keys are idand whose values are obj. ... The isLargeItem function is ... getNewObjects> ...
    (comp.lang.python)
  • Re: windows explorer opens at startup
    ... The script warning is normal, ... is normal if you have "Script Safe" or similar technology enabled. ... but they do make changes to the System Registry. ... one of the registry keys I looked at had that /L:ENG in it too. ...
    (microsoft.public.windowsxp.general)
  • Re: Navigating The Registry
    ... But it will add a entry to the New sub menu for a New Registry Shortcut wizard. ... RegShortcut provides shortcuts to keys or values in the registry. ... If Regedit is already opened, the selection must be in the left hand pane for the correct key to open. ... to improve Ramesh's script. ...
    (microsoft.public.windowsxp.help_and_support)