dnssec-keygen is waiting endless...

[Michelle Konzack]

Hello *;

I am retrying to setup DNSSEC but I have a problem with:

dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net

because if I issue the command, it waits forever and nothing happen.

What can this be?

Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version
1:9.7.0.dfsg.P1-1~bpo50+1

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>

Jabber linux4m...@jabber.ccc.de
ICQ #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/

[Paul Wouters]

On Fri, 28 May 2010, Michelle Konzack wrote:

> Hello *;
>
> I am retrying to setup DNSSEC but I have a problem with:
>
> dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net
>
> because if I issue the command, it waits forever and nothing happen.
>
> What can this be?
>
> Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version
> 1:9.7.0.dfsg.P1-1~bpo50+1

My bet is that this is a VM and you have no entropy. Either generate some
entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga)
or create the keys on real iron instead of a VM.

Paul

[Jack Tavares]

Or it is a chroot jail and it does not have a source of entropy

Paul
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[Michelle Konzack]

Hello Paul,

Am 2010-05-28 12:34:16, hacktest Du folgendes herunter:

> My bet is that this is a VM and you have no entropy. Either generate some
> entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga)
> or create the keys on real iron instead of a VM.

No, this a real machine: AMD Sempron 2200+ (Socket A) with 3 GByte of
memory and only standard Debian in stallation. The thing with the "find"
does not work...

[Casey Deccio]

On Fri, May 28, 2010 at 10:41 AM, Michelle Konzack <linux4m...@tamay-dogan.net> wrote:

Hello Paul,

Am 2010-05-28 12:34:16, hacktest Du folgendes herunter:

> My bet is that this is a VM and you have no entropy. Either generate some
> entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga)
> or create the keys on real iron instead of a VM.

No, this a real machine:    AMD Sempron 2200+ (Socket A) with 3 GByte of
memory and only standard Debian in stallation. The thing with the "find"
does not work...

Running 'cat /proc/sys/kernel/random/entropy_avail' should show you what your available entropy is during the keygen process.

There are a variety of things you can do to increase the size of the entropy pool, but if you're willing to accept less entropy at this point to get things going, pass '-r /dev/urandom' to dnssec-keygen (see 'man urandom').

Regards,
Casey

[Michelle Konzack]

Hello Jack,

Am 2010-05-28 10:36:51, hacktest Du folgendes herunter:

> Or it is a chroot jail and it does not have a source of entropy

Ehm no... <seufz>

Where must this entrophy be?

[Michelle Konzack]

Hi again,

Am 2010-05-28 10:36:51, hacktest Du folgendes herunter:
> Or it is a chroot jail and it does not have a source of entropy

AFAIK does a chroot give a fals impression bind could be more secure...

Currently I need to secure my bind9 since I had a massive attack on my
<dns1> which is the master. Also I have had more then 30 million queries
in less then one week and bind9 has eaten arround 2.4 GByte of memory...

[Jack Tavares]

Disregard my statement.
An incorrect chroot setup will affect the named executable, but not
the dnssec-keygen

-----Original Message-----
From: bind-users-bounces+j.tavares=f5....@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5....@lists.isc.org] On Behalf Of Michelle Konzack
Sent: Friday, May 28, 2010 11:22 AM
To: bind-...@lists.isc.org
Subject: Re: dnssec-keygen is waiting endless...

Hello Jack,

Am 2010-05-28 10:36:51, hacktest Du folgendes herunter:
> Or it is a chroot jail and it does not have a source of entropy

Ehm no... <seufz>

Where must this entrophy be?

Thanks, Greetings and nice Day/Evening

[Evan Hunt]

> Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version
> 1:9.7.0.dfsg.P1-1~bpo50+1

I get the same problem on Ubuntu, which is Debian-based. /dev/random
runs out of entropy rapidly and takes a long time to recover.

Using "dnssec-keygen -r /dev/urandom" will make it finish much
faster, but that uses a pseudo-random number generator instead of true
randomness, so it's not the best choice from the paranoid crypto viewpoint.
I often use it for test zones and such. If I needed a proper bulletproof
key on an Ubuntu box, and I didn't want to wait a long time for it, I'd
probably generate the key on some other system and copy it over.

--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.

[Michelle Konzack]

Hello Casey,

Am 2010-05-28 11:15:30, hacktest Du folgendes herunter:

> Running 'cat /proc/sys/kernel/random/entropy_avail' should show you what
> your available entropy is during the keygen process.

It show me a number between 0 and several 100

> There are a variety of things you can do to increase the size of the entropy
> pool, but if you're willing to accept less entropy at this point to get
> things going, pass '-r /dev/urandom' to dnssec-keygen (see 'man urandom').

This is working for now...

[Casey Deccio]

On Fri, May 28, 2010 at 11:25 AM, Michelle Konzack <linux4m...@tamay-dogan.net> wrote:

Currently I need to secure my bind9 since I had a massive attack  on  my
<dns1> which is the master. Also I have had more then 30 million queries
in less then one week and bind9 has eaten arround 2.4 GByte of memory...

DNSSEC is for securing your namespace, not your server. With DNSSEC a validating resolver can prove the authenticity of an answer it receives, but that won't help with attacks targeting your name server.

If you're looking to secure your server, you'll need to take other security measures with regards to server/firewall configuration.

Regards,
Casey

[Michelle Konzack]

Hello Evan,

Am 2010-05-28 18:33:14, hacktest Du folgendes herunter:

> > Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version
> > 1:9.7.0.dfsg.P1-1~bpo50+1
>
> I get the same problem on Ubuntu, which is Debian-based. /dev/random
> runs out of entropy rapidly and takes a long time to recover.

I have tries it on Debian Etch, Lenny and Sid with the same result... On
all three machines I have touse "-r /dev/urandom" which is realy weird.

> Using "dnssec-keygen -r /dev/urandom" will make it finish much
> faster, but that uses a pseudo-random number generator instead of true
> randomness, so it's not the best choice from the paranoid crypto viewpoint.
> I often use it for test zones and such. If I needed a proper bulletproof
> key on an Ubuntu box, and I didn't want to wait a long time for it, I'd
> probably generate the key on some other system and copy it over.

:-) I have 38.000 Zones and on my "AMD Sempron 2200+" with 3 GByte of
memory it take arround 40 Second to create ONE signed zone fro a script.

This mean, if I want to sign 38.000 zones it will run 18 days...

[Doug Barton]

On 05/28/10 13:53, Michelle Konzack wrote:
> Hello Evan,
>
> Am 2010-05-28 18:33:14, hacktest Du folgendes herunter:
>>> Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version
>>> 1:9.7.0.dfsg.P1-1~bpo50+1
>>
>> I get the same problem on Ubuntu, which is Debian-based. /dev/random
>> runs out of entropy rapidly and takes a long time to recover.
>
> I have tries it on Debian Etch, Lenny and Sid with the same result... On
> all three machines I have touse "-r /dev/urandom" which is realy weird.

...

> :-) I have 38.000 Zones and on my "AMD Sempron 2200+" with 3 GByte of
> memory it take arround 40 Second to create ONE signed zone fro a script.
>
> This mean, if I want to sign 38.000 zones it will run 18 days...

If you're planning to do production DNSSEC on Linux you really need to
configure an entropy gathering daemon in order to properly seed your
/dev/random device. You should be able to find resources for doing this
on line, or in a help forum for your particular brand(s) of Linux.

You might also consider evaluating FreeBSD for your name servers, it
comes with properly configured entropy gathering right out of the box,
and our implementation of /dev/random uses a PRNG method that hands out
high-quality "random" bits with very little danger of running out.

hth,

Doug

--

... and that's just a little bit of history repeating.
-- Propellerheads

Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/