[Pdns-users] Random (was: When to do a key rollover?)

bert hubert bert.hubert at netherlabs.nl
Wed May 11 18:28:44 UTC 2011


On Wed, May 11, 2011 at 08:19:01PM +0200, Posner, Sebastian wrote:
> >    Otherwise, create a fresh and immediately active key
> > If the active ZSK will expire soon, create a spare key
> 
> These last two lines implicate another question: Is there any 
> possibility to influence the source of random used by pdns to create keys?

Hmm, no. This is because right now you can use many engines to create a key,
and each has different ways of gathering random.

For PowerDNS itself, you could use the 'entropy-source' setting.

Another solution is to create keys using an external tool and use pdnssec
import-zone-key.

> Perhaps a question for everybody.. How do make yure you have enough
> *good* random for (frequent) key generation for (many) different zones?

I've heard good things about http://www.entropykey.co.uk/ . This is a sort
of halfway solution - I'd not suggest just using /dev/urandom afterwards for
state secrets ;-) but it looks pretty good.

I just ordered one to find out.

> Same KSK/ZSK for all deployed zones to reduce the amount of random
> cyclically needed? Write a script to query random.org? Invest $BIGBUCKS
> to purchase expensive TRNG-Hardware? Use /dev/urandom instead? o.O

There are other solutions too - you could for example create a large random
stream based on a single piece of high quality random. For example, take 256
bits of high quality random and encrypt several gigabytes of /dev/urandom
with it. Take care never to store the 256 bits and you should be good to go.

The entropykey looks pretty good though for a 'no thinking' solution.

	Bert



More information about the Pdns-users mailing list