[Pdns-users] Random (was: When to do a key rollover?)
Posner, Sebastian
s.posner at telekom.de
Wed May 11 18:19:01 UTC 2011
Maik Zumstrull wrote:
[key rollover]
> The basic logic per zone is:
>
> Disable any expired ZSKs
> Make sure there is an active ZSK
> If we already have a fresh spare key, enable it
> Otherwise, create a fresh and immediately active key
> If the active ZSK will expire soon, create a spare key
These last two lines implicate another question: Is there any
possibility to influence the source of random used by pdns to create keys?
On a server, typically there is not much in /dev/random as there are
typically no user interactions, and if you issue a hidden primary for
DNSSECing your zones there is even less IO or other random things that
happen on machines to fill the pool.
Perhaps a question for everybody.. How do make yure you have enough
*good* random for (frequent) key generation for (many) different zones?
Same KSK/ZSK for all deployed zones to reduce the amount of random
cyclically needed? Write a script to query random.org? Invest $BIGBUCKS
to purchase expensive TRNG-Hardware? Use /dev/urandom instead? o.O
Sebastian
--
baboo
More information about the Pdns-users
mailing list