Re: [opensuse] dnssec-keygen problem in opensuse 11.2, including the genDDNSkey script
- From: Dan Kopparhed <dank@xxxxxx>
- Date: Fri, 05 Feb 2010 10:04:24 +0100
On 2010-02-04 13:19, Marcus Meissner wrote:
On Thu, Feb 04, 2010 at 11:45:01AM +0100, Dan Kopparhed wrote:
On 2010-02-04 11:10, Marcus Meissner wrote:filedescriptor 3 is /dev/random, so you dont have sufficient entropy
On Thu, Feb 04, 2010 at 10:53:20AM +0100, Dan Kopparhed wrote:
Hi, I ran into a problem that I suspect may be a bug in dnssec-keygen.The sleep might be due to reads from /dev/random, which blocks until enough
Can someone confirm this?
I was trying to generate keys with the genDDNSkey script, but the script
just freezes. So I had a look at the script and discovered that the
problem occurs when calling dnssec-keygen. It sleeps, seemingly stuck
waiting 4-ever (well, I honestly only tried for a few minutes).
Actually, when trying this over and over again, it succeeded once out of
something like 15+ attempts. I changed nothing between trials.
In opensuse 11.1, latest bind update, running this command immediately
generates private and public keys Ktest.*
/usr/sbin/dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/random -n USER test
In opensuse 11.2, fully patched, the same command just falls asleep
randomness is there.
currently in it (and its waiting until you have).
either wait a while and/or pound on the keyboard ... or you could fallback
Thanks for helping out, Marcus!
This "error" was somewhat confusing at first (since there are no messages, just silence). So, in case someone else encounters this issue in the future, I'll elaborate on the explanation a little. First, the difference between /dev/random and /dev/urandom:
/dev/random returns high quality noise generated from sources such as "human" input devices like mice and keyboard, etc. It is possible to increase the rate of entropy gathered by e.g. banging the keyboard (if connected to the computer, i.e. not by SSH it seems). /dev/random will block until enough entropy is gathered.
/dev/urandom generates as much noise as requested, but with lower quality randomness (pseudo random algorithms). Using /dev/urandom for generating encryption keys makes it theoretically "easy" to find a way to crack the encryption.
The genDDNSkey script is using /dev/random by default. Thus, on a server without any human devices connected, as in my case, the available entropy may be too low, causing the script (or rather dnssec-keygen) to apparently freeze.
You can see how much entropy is available for /dev/random by reading this:
I hope this is helpful for someone.
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
- Prev by Date: Re: [opensuse] Hal & Policy Kit?
- Next by Date: [opensuse] kde 4.3.4 - konqueror is dead: Cannot load library /usr/lib64/kde4/dolphinpart.so undefined symbol??
- Previous by thread: Re: [opensuse] dnssec-keygen problem in opensuse 11.2, including the genDDNSkey script
- Next by thread: [opensuse] KDE 4 strikes again