Date: Tue, 15 Jan 2002 08:47:13 -0800 From: "Kevin Oberman" <oberman@ptavv.es.net> To: "Graham Dunn" <graham_m_dunn@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: dnssec-keygen needs -r /dev/urandom on 4.5-RC Message-ID: <20020115164713.B39885D1A@ptavv.es.net> In-Reply-To: Your message of "Tue, 15 Jan 2002 16:00:04 GMT." <F149X3cf3ednHM3SOlb00014e8f@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> From: "Graham Dunn" <graham_m_dunn@hotmail.com> > Date: Tue, 15 Jan 2002 16:00:04 +0000 > Sender: owner-freebsd-questions@FreeBSD.ORG > > FreeBSD 4.5-RC (cvsup Fri Jan 11 14:23:07 GMT) > Bind 9.1.3 from ports > > "dnssec-keygen -a hmac-md5 -b 128 -n user rndc" would just hang forever (or > at least 15 minutes :). Adding -r /dev/urandom will allow the keys to be > generated. > > How "safe" is /dev/urandom as a source of entropy? (There were a few > messages on the bind-workers archive about FreeBSD-4.2's /dev/random not > generating a lot of entropy). /dev/urandom is fairly safe, but not in the class of /dev/random. The key is to configure the random device to gather entropy from other places so that it gathers more quickly. I recommend using the network interface IRQ and the disk IRQ. The keyboard and mouse are probably the most truly random, but tend to interrupt at a fairly low rate. See "man 4 random" and "man rndcontrol". You can get a list of IRQs for your system with 'vmstat -i'. Note that clock IRQs are not a good choice as they are very NON-random. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020115164713.B39885D1A>