You can use r devurandom to speed the key generation up. There is no easy formula to calculate the number of name servers needed, as it depends on. On some systems especially virtual machines with insufficient entropy, it may take much longer than one cares to. There was a bug in the old openssl builds that made openssl to ignore the rng engine modification. Hi is it normal that dnsseckeygen be this much slow. But taking a guess, youre using r devrandom for your entropy, which blocks when. If you run dnsseckeygen and it appears to hang particularly when on a virtual machine, the program is actually waiting for entropy i. The links in this chain of trust are delegation signing records ds rrtype. Itd be helpful if you showed us exactly what youre doing. The files with the extension key and private contain the public and the private key as generated by dnsseckeygen the file with the extension attr contains attribute information needed to operated the key store, while the file with extension adm contains some administration and audit information.
Dnssec key management and zone signing ripe network. But taking a guess, you re using r devrandom for your entropy, which blocks when. This hang is probably caused by the dnsseckeygen command taking a long time to generate a new random key. Virtual machines are usually less impacted in entropy when using more io. Dnssec domain name system security extensions is a suite of ietf internet engineering task force specifications for securing certain kinds of information provided by the dns domain name system as used on ip internet protocol networks. The option value is passed to dnsseckeygen as the a flag. In order to verify your zone, dnssec requires a chain of trust from the root. Cryptographic algorithm used to generate the zones keys. Additional options for dnsseckeygen may be specified using this. If the entropy on your system is low, you wont get enough random data to generate the keys in a timely manner.
Ive only seen this happen when a nondefault dnssec key type is selected, or if the system doesnt have enough entropy to generate a random key. The center for internet security dns bind benchmark. Solved is it normal that dnsseckeygen be this much slow. Some systems have very little entropy and thus dnsseckeygen may take forever. Configure dnssec for bind dns server in centos 7 centlinux. It creates a file that contains a key record for each key, and selfsigns the key set with each zone key.
What to do if dnsseckeygen hangs forever domainhelp. It can also generate keys for use with tsig transaction. As a solution to the lack of entropy on a machine, i frequently use a small program called haveged, and this also works very nicely on virtual environments. One of the alternatives is trying to make the system more busy running more processes in the background. In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data.650 1471 141 1452 409 974 1256 1270 718 711 1013 1345 35 1470 1433 174 1229 330 728 1182 235 231 1093 1092 96 1298 1196 300 1079 1126 1036 1421