dnssec-keygen not responding

[vishesh kumar]

Hi All

I am trying to generate keys for signing vishesh.com domain using following command (for testing purpose)

dnssec-keygen -a RSASHA1 -b 768 -n ZONE vishesh.com.

But its not responding , i waited around 30 minutes but there is no result

Operating system is RHEL6 on VirtualBox 4.1

Thanks & Regards
Vishesh Kumar

--

[Alan Clegg]

On 11/30/2011 12:15 AM, vishesh kumar wrote:
> Hi All
>
> I am trying to generate keys for signing vishesh.com

> <http://vishesh.com> domain using following command (for testing purpose)
>
> dnssec-keygen -a RSASHA1 -b 768 -n ZONE vishesh.com <http://vishesh.com>.

>
> But its not responding , i waited around 30 minutes but there is no result
>
> Operating system is RHEL6 on VirtualBox 4.1

You don't have enough entropy in the virtual environment. You can (if
you understand the issues surrounding it), use /dev/urandom as your
random source, or look at installing something like haveged
(http://freecode.com/projects/haveged) to solve the problem.

AlanC
--
al...@clegg.com | acl...@infoblox.com
1.919.355.8851

[Adam Tkac]

Another good solution is to pass "-r keyboard" to dnssec-keygen.

Regards, Adam

--
Adam Tkac, Red Hat, Inc.

[Torsten Segner]

Am Wed, 30 Nov 2011 09:40:44 +0100
schrieb Adam Tkac <at...@redhat.com>:

In RHEL there is a RPM package called unuran.
It's a random number generator daemon using either a piece of hardware or /dev/urandom as source. Running this will provide enough entropy to create lots of keys.

[Michael Graff]

On Nov 30, 2011, at 3:01 AM, Torsten Segner wrote:
> In RHEL there is a RPM package called unuran.
> It's a random number generator daemon using either a piece of hardware or /dev/urandom as source. Running this will provide enough entropy to create lots of keys.

I'd be rather wary of keys made from /dev/urandom but I am often times a paranoid security freak.

For my VM environment, I bought a USB random source, and share it across the VMs with a little daemon I wrote. Of course, you could just map the RNG into the VM you need too, and even move it around.

--Michael

[Paul Wouters]

For KVM, the whole virtio was supposed to have fixed this. I've asked related developers since
the xen2 days for feeding host /dev/random into the guest. It's still failing everywhere :(

Paul

[Spain, Dr. Jeffry A.]

> I'd be rather wary of keys made from /dev/urandom but I am often times a paranoid security freak.

Inexpensive USB-attachable RNG: http://www.entropykey.co.uk/

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

[Jan-Piet Mens]

On Wed Nov 30 2011 at 20:45:30 CET, Michael Graff wrote:

> For my VM environment, I bought a USB random source, and share it
> across the VMs with a little daemon I wrote.

Would you be willing to give us a few more details, such as the name of
the USB random source generator (is it an Entropy Key) ?

Of course, if you do tell us what hardware you're using, the next thing
will be we'll want a copy of your unofficial little daemon ... ;-)

Regards,

-JP

[Hauke Lampe]

Jan-Piet Mens wrote:

----- Original message -----
> Would you be willing to give us a few more details, such as the name of
> the USB random source generator (is it an Entropy Key) ?
>
> Of course
, if you do tell us what hardware you're using, the next thing
> will be we'll want a copy of your unofficial little daemon ... ;-)

I don't know what Mark uses but I am quite satisfied with Entropy Key's USB key with ekeyd as source and distributing entropy via VPN to remote egd clients:
http://www.entropykey.co.uk/download/

Keep in mind, that while the ekey daemon goes to great lengths to protect the entropy stream on the USB interface, the egd TCP connection is not encrypted or signed in any way. A middleman can record the raw entropy stream mixed into a server's pool and maybe even replace it with a know pattern.


Hauke

[Michael Graff]

I'm using an Araneus Alea I, from http://www.araneus.fi/products-alea-eng.html. I'm sure others would work as well. I know the creator of this device personally though, so it's the one sticking out of the back of the box I own. :)

As for the daemon, well, I may have to find the time to clean it up. :)

Basically, I map the USB dongle into one VM I use for "control stuff" that doesn't run anything else, and is running a scaled down NetBSD install under VMWare. The daemon accepts connections over TCP, and sends chunks of randomness to whoever asks, as much as they request, when it is available.

The receiver then encrypts the data with a 128-bit key to scramble it further, and feeds it into the system's random pool. From there on, /dev/random just works. It basically attempts to keep the random pool full, so while /dev/random may block, it won't do so for very long. I believe the daemon checks once every 100ms or so.

--Michael

On Dec 1, 2011, at 5:17 AM, Jan-Piet Mens wrote:

> On Wed Nov 30 2011 at 20:45:30 CET, Michael Graff wrote:
>
>> For my VM environment, I bought a USB random source, and share it
>> across the VMs with a little daemon I wrote.
>

> Would you be willing to give us a few more details, such as the name of
> the USB random source generator (is it an Entropy Key) ?
>

> Of course, if you do tell us what hardware you're using, the next thing

> will be we'll want a copy of your unofficial little daemon ... ;-)
>

> Regards,
>
> -JP

[Jan-Piet Mens]

Thanks Michael, and Hauke.

I've had relatively good prior experience with Haveged [1], but I've
always wanted to experiment with a USB random generator.

Both the Araneus Alea [2] and the Entropy Key [3] look very interesting.
I'd heard of the latter previously, and I've ordered that because the
Alea is currently out of stock, and the Entropy Key costs a third.

-JP

[1] http://www.issihosts.com/haveged/
[2] http://www.araneus.fi/products-alea-eng.html
[3] http://www.entropykey.co.uk/

[Paul Wouters]

On Thu, 1 Dec 2011, Michael Graff wrote:

> I'm using an Araneus Alea I, from http://www.araneus.fi/products-alea-eng.html. I'm sure others would work as well. I know the creator of this device personally though, so it's the one sticking out of the back of the box I own. :)

At 150 EURO, its cheaper to buy a full VIA motherboard and use the via-rng kernel module :)

# dd if=/dev/hw_random of=/tmp/delme bs=1024k count=1
1+0 records in
1+0 records out
1048576 bytes (1.0 MB) copied, 2.98831 seconds, 351 kB/s

One could pipe this over an ssh command too without any new daemons running.

Paul

[Warren Kumari]

Yeah, a number of motherboards now come with TPMs that include hardware RNGs...

My current personal server (Dell R710) has just such a beastie -- there is some info here: http://domsch.com/blog/?p=107 and I *think* that the rng-tools package now supports it natively....

I spent *many* hours futzing with this, rebooting into the BIOS to try and enable the TPM, upgrading the BIOS, beating my head against a wall, etc...
Eventually I realized that I had purchased the server from the Dell outlet center and even though the build list included the standard (RoW - "Rest of World"!) motherboard it actually had the China specific board that is identical, but doesn't include a TPM....

Doh!

W

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

[Paul Wouters]

On Thu, 1 Dec 2011, Warren Kumari wrote:

> Yeah, a number of motherboards now come with TPMs that include hardware RNGs...
>
> My current personal server (Dell R710) has just such a beastie -- there is some info here: http://domsch.com/blog/?p=107 and I *think* that the rng-tools package now supports it natively....

I have an R610, but either the bios has it disabled or it did not find it, though I was
pretty sure I enabled it in the BIOS. And yes I confirmed the support is in the rng-utils on rhel5.

> I spent *many* hours futzing with this, rebooting into the BIOS to try and enable the TPM, upgrading the BIOS, beating my head against a wall, etc...
> Eventually I realized that I had purchased the server from the Dell outlet center and even though the build list included the standard (RoW - "Rest of World"!) motherboard it actually had the China specific board that is identical, but doesn't include a TPM....

Maybe I'm suffering from that too? I looked at dmidecode, but it didn't give me much info.

Matt, is there anyway to confirm if the TPM is there (but potentially disabled in bios) ?

Paul

[vishesh kumar]

Thanks  all for wonderful suggestions.

Thanks & Regards

Vishesh Kumar

On Fri, Dec 2, 2011 at 3:34 AM, Warren Kumari <war...@kumari.net> wrote:

Yeah, a number of motherboards now come with TPMs that include hardware RNGs...

My current personal server (Dell R710) has just such a beastie -- there is some info here: http://domsch.com/blog/?p=107 and I *think* that the rng-tools package now supports it natively....

I spent *many* hours futzing with this, rebooting into the BIOS to try and enable the TPM, upgrading the BIOS, beating my head against a wall, etc...
Eventually I realized that I had purchased the server from the Dell outlet center and even though the build list included the standard (RoW - "Rest of World"!) motherboard it actually had the China specific board that is identical, but doesn't include a TPM....

[Jan-Piet Mens]

Hello,

FWIW and for the record, I received an EntropyKey and have shortly described my
experience with it so far at http://dnssexy.net/903

Regards,

-JP