I am retrying to setup DNSSEC but I have a problem with:
dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net
because if I issue the command, it waits forever and nothing happen.
What can this be?
Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version
1:9.7.0.dfsg.P1-1~bpo50+1
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4m...@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
> Hello *;
>
> I am retrying to setup DNSSEC but I have a problem with:
>
> dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net
>
> because if I issue the command, it waits forever and nothing happen.
>
> What can this be?
>
> Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version
> 1:9.7.0.dfsg.P1-1~bpo50+1
My bet is that this is a VM and you have no entropy. Either generate some
entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga)
or create the keys on real iron instead of a VM.
Paul
Paul
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Am 2010-05-28 12:34:16, hacktest Du folgendes herunter:
> My bet is that this is a VM and you have no entropy. Either generate some
> entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga)
> or create the keys on real iron instead of a VM.
No, this a real machine: AMD Sempron 2200+ (Socket A) with 3 GByte of
memory and only standard Debian in stallation. The thing with the "find"
does not work...
Hello Paul,
Am 2010-05-28 12:34:16, hacktest Du folgendes herunter:
> My bet is that this is a VM and you have no entropy. Either generate someNo, this a real machine: AMD Sempron 2200+ (Socket A) with 3 GByte of
> entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga)
> or create the keys on real iron instead of a VM.
memory and only standard Debian in stallation. The thing with the "find"
does not work...
Am 2010-05-28 10:36:51, hacktest Du folgendes herunter:
> Or it is a chroot jail and it does not have a source of entropy
AFAIK does a chroot give a fals impression bind could be more secure...
Currently I need to secure my bind9 since I had a massive attack on my
<dns1> which is the master. Also I have had more then 30 million queries
in less then one week and bind9 has eaten arround 2.4 GByte of memory...
-----Original Message-----
From: bind-users-bounces+j.tavares=f5....@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5....@lists.isc.org] On Behalf Of Michelle Konzack
Sent: Friday, May 28, 2010 11:22 AM
To: bind-...@lists.isc.org
Subject: Re: dnssec-keygen is waiting endless...
Hello Jack,
Am 2010-05-28 10:36:51, hacktest Du folgendes herunter:
> Or it is a chroot jail and it does not have a source of entropy
Ehm no... <seufz>
Where must this entrophy be?
Thanks, Greetings and nice Day/Evening
I get the same problem on Ubuntu, which is Debian-based. /dev/random
runs out of entropy rapidly and takes a long time to recover.
Using "dnssec-keygen -r /dev/urandom" will make it finish much
faster, but that uses a pseudo-random number generator instead of true
randomness, so it's not the best choice from the paranoid crypto viewpoint.
I often use it for test zones and such. If I needed a proper bulletproof
key on an Ubuntu box, and I didn't want to wait a long time for it, I'd
probably generate the key on some other system and copy it over.
--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.
Am 2010-05-28 11:15:30, hacktest Du folgendes herunter:
> Running 'cat /proc/sys/kernel/random/entropy_avail' should show you what
> your available entropy is during the keygen process.
It show me a number between 0 and several 100
> There are a variety of things you can do to increase the size of the entropy
> pool, but if you're willing to accept less entropy at this point to get
> things going, pass '-r /dev/urandom' to dnssec-keygen (see 'man urandom').
This is working for now...
Currently I need to secure my bind9 since I had a massive attack on my
<dns1> which is the master. Also I have had more then 30 million queries
in less then one week and bind9 has eaten arround 2.4 GByte of memory...
Am 2010-05-28 18:33:14, hacktest Du folgendes herunter:
> > Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version
> > 1:9.7.0.dfsg.P1-1~bpo50+1
>
> I get the same problem on Ubuntu, which is Debian-based. /dev/random
> runs out of entropy rapidly and takes a long time to recover.
I have tries it on Debian Etch, Lenny and Sid with the same result... On
all three machines I have touse "-r /dev/urandom" which is realy weird.
> Using "dnssec-keygen -r /dev/urandom" will make it finish much
> faster, but that uses a pseudo-random number generator instead of true
> randomness, so it's not the best choice from the paranoid crypto viewpoint.
> I often use it for test zones and such. If I needed a proper bulletproof
> key on an Ubuntu box, and I didn't want to wait a long time for it, I'd
> probably generate the key on some other system and copy it over.
:-) I have 38.000 Zones and on my "AMD Sempron 2200+" with 3 GByte of
memory it take arround 40 Second to create ONE signed zone fro a script.
This mean, if I want to sign 38.000 zones it will run 18 days...
If you're planning to do production DNSSEC on Linux you really need to
configure an entropy gathering daemon in order to properly seed your
/dev/random device. You should be able to find resources for doing this
on line, or in a help forum for your particular brand(s) of Linux.
You might also consider evaluating FreeBSD for your name servers, it
comes with properly configured entropy gathering right out of the box,
and our implementation of /dev/random uses a PRNG method that hands out
high-quality "random" bits with very little danger of running out.
hth,
Doug
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/