From owner-freebsd-questions  Tue Jan 15  8:47:16 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from ptavv.es.net (ptavv.es.net [198.128.4.29])
	by hub.freebsd.org (Postfix) with ESMTP id 0CD0137B404
	for <freebsd-questions@freebsd.org>; Tue, 15 Jan 2002 08:47:14 -0800 (PST)
Received: from ptavv.es.net (localhost [127.0.0.1])
	by ptavv.es.net (Postfix) with ESMTP
	id B39885D1A; Tue, 15 Jan 2002 08:47:13 -0800 (PST)
To: "Graham Dunn" <graham_m_dunn@hotmail.com>
Cc: freebsd-questions@freebsd.org
Subject: Re: dnssec-keygen needs -r /dev/urandom on 4.5-RC 
In-reply-to: Your message of "Tue, 15 Jan 2002 16:00:04 GMT."
             <F149X3cf3ednHM3SOlb00014e8f@hotmail.com> 
Date: Tue, 15 Jan 2002 08:47:13 -0800
From: "Kevin Oberman" <oberman@ptavv.es.net>
Message-Id: <20020115164713.B39885D1A@ptavv.es.net>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> From: "Graham Dunn" <graham_m_dunn@hotmail.com>
> Date: Tue, 15 Jan 2002 16:00:04 +0000
> Sender: owner-freebsd-questions@FreeBSD.ORG
> 
> FreeBSD 4.5-RC (cvsup Fri Jan 11 14:23:07 GMT)
> Bind 9.1.3 from ports
> 
> "dnssec-keygen -a hmac-md5 -b 128 -n user rndc" would just hang forever (or 
> at least 15 minutes :). Adding -r /dev/urandom will allow the keys to be 
> generated.
> 
> How "safe" is /dev/urandom as a source of entropy? (There were a few 
> messages on the bind-workers archive about FreeBSD-4.2's /dev/random not 
> generating a lot of entropy).

/dev/urandom is fairly safe, but not in the class of /dev/random.

The key is to configure the random device to gather entropy from other
places so that it gathers more quickly. I recommend using the network
interface IRQ and the disk IRQ. The keyboard and mouse are probably the
most truly random, but tend to interrupt at a fairly low rate. See
"man 4 random" and "man rndcontrol".

You can get a list of IRQs for your system with 'vmstat -i'. Note that
clock IRQs are not a good choice as they are very NON-random.

R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net			Phone: +1 510 486-8634

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message