[Pdns-users] Random (was: When to do a key rollover?)

Posner, Sebastian s.posner at telekom.de
Wed May 11 18:19:01 UTC 2011

Maik Zumstrull wrote:

[key rollover]

> The basic logic per zone is:
> Disable any expired ZSKs
> Make sure there is an active ZSK
>    If we already have a fresh spare key, enable it

>    Otherwise, create a fresh and immediately active key
> If the active ZSK will expire soon, create a spare key

These last two lines implicate another question: Is there any 
possibility to influence the source of random used by pdns to create keys?

On a server, typically there is not much in /dev/random as there are 
typically no user interactions, and if you issue a hidden primary for 
DNSSECing your zones there is even less IO or other random things that
happen on machines to fill the pool.

Perhaps a question for everybody.. How do make yure you have enough
*good* random for (frequent) key generation for (many) different zones?

Same KSK/ZSK for all deployed zones to reduce the amount of random
cyclically needed? Write a script to query random.org? Invest $BIGBUCKS
to purchase expensive TRNG-Hardware? Use /dev/urandom instead? o.O


More information about the Pdns-users mailing list