dnssec-keygen takes forever to generate a keyfile

Bug #963368 reported by Vasya Pupkin on 2012-03-23
This bug affects 2 people
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)

Bug Description

A command `dnssec-keygen -f KSK example.com` took more than 30 hours to complete on my system. It's not something anyone would expect from a simple keyfile generation utility.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: bind9 1:9.7.0.dfsg.P1-1ubuntu0.4
ProcVersionSignature: Ubuntu 2.6.32-39.86-generic-pae
Uname: Linux 2.6.32-39-generic-pae i686
Architecture: i386
Date: Fri Mar 23 23:02:42 2012
InstallationMedia: Ubuntu-Server 10.04.3 LTS "Lucid Lynx" - Release i386 (20110719.2)
SourcePackage: bind9

Vasya Pupkin (shadowlmd) wrote :
James Page (james-page) on 2012-04-02
Changed in bind9 (Ubuntu):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bind9 (Ubuntu):
status: New → Confirmed

It is NOT a bug.

In order to generate SECURE keys, dnssec-keygen reads /dev/random, which will block until there's enough entropy available on your system. Some systems have very little entropy and thus dnssec-keygen may take forever.

Possible solutions:
1. apt-get install haveged
haveged daemon supplies lots of entropy to /dev/random.

2. dnssec-keygen -r /dev/urandom
Will use "non-blocking" pseudo-random device (lower security).

3. Move mouse and tap on keyboard - kernel uses this as entropy source.

4. Buy a hardware entropy device.

Changed in bind9 (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers