dnssec-keygen takes forever to generate a keyfile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| bind9 (Ubuntu) |
Medium
|
Unassigned |
Bug Description
A command `dnssec-keygen -f KSK example.com` took more than 30 hours to complete on my system. It's not something anyone would expect from a simple keyfile generation utility.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: bind9 1:9.7.0.
ProcVersionSign
Uname: Linux 2.6.32-
Architecture: i386
Date: Fri Mar 23 23:02:42 2012
InstallationMedia: Ubuntu-Server 10.04.3 LTS "Lucid Lynx" - Release i386 (20110719.2)
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: bind9
Vasya Pupkin (shadowlmd) wrote : | #1 |
Changed in bind9 (Ubuntu): | |
importance: | Undecided → Medium |
It is NOT a bug.
In order to generate SECURE keys, dnssec-keygen reads /dev/random, which will block until there's enough entropy available on your system. Some systems have very little entropy and thus dnssec-keygen may take forever.
Possible solutions:
1. apt-get install haveged
haveged daemon supplies lots of entropy to /dev/random.
2. dnssec-keygen -r /dev/urandom
Will use "non-blocking" pseudo-random device (lower security).
3. Move mouse and tap on keyboard - kernel uses this as entropy source.
4. Buy a hardware entropy device.
Changed in bind9 (Ubuntu): | |
status: | Confirmed → Invalid |
Status changed to 'Confirmed' because the bug affects multiple users.