To:
dnsop@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Thu, 28 Feb 2002 15:12:15 -0500
Sender:
owner-dnsop@cafax.se
Subject:
secure-ddns-howto.html
>One possible problem that can be encountered with dnssec-keygen is that it
>might use up all the entropy in /dev/random before it is done generating the
>key. This will make dnssec-keygen appear to hang, when in fact it is simply
>waiting for more entropy. One solution to this is to use the -r <randomdev>
>parameter that allows you to specify another random device, such as
>/dev/urandom.
Well, that isn't very good advice. If there isn't enough entropy in
/dev/random, then there certainly isn't enough in /dev/urandom. urandom just
"makes stuff up" instead of blocking.
If dnssec-keygen hangs, then you need to feed it more entropy, not tell it
to use a poorer entropy source. Rather than fall back to using /dev/urandom
instead, I suggest that you recommend if it hangs to open new window and do
stuff. (compiler a kernel, visit slashdot, what precisely depends upon what
OS you are running and how it was compiled but generally anything with
keyboard I/O)
If nothing else, then do:
dd if=/dev/audio of=/dev/random
which is as good as using /dev/urandom anyway!
(The above may not work on Linux unless you have a mixer open. It also
likely fails if your audio drivers are incomplete, as many have no input
functions...)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [