[Pdns-users] Random (was: When to do a key rollover?)
bert hubert
bert.hubert at netherlabs.nl
Wed May 11 18:28:44 UTC 2011
On Wed, May 11, 2011 at 08:19:01PM +0200, Posner, Sebastian wrote:
> > Otherwise, create a fresh and immediately active key
> > If the active ZSK will expire soon, create a spare key
>
> These last two lines implicate another question: Is there any
> possibility to influence the source of random used by pdns to create keys?
Hmm, no. This is because right now you can use many engines to create a key,
and each has different ways of gathering random.
For PowerDNS itself, you could use the 'entropy-source' setting.
Another solution is to create keys using an external tool and use pdnssec
import-zone-key.
> Perhaps a question for everybody.. How do make yure you have enough
> *good* random for (frequent) key generation for (many) different zones?
I've heard good things about http://www.entropykey.co.uk/ . This is a sort
of halfway solution - I'd not suggest just using /dev/urandom afterwards for
state secrets ;-) but it looks pretty good.
I just ordered one to find out.
> Same KSK/ZSK for all deployed zones to reduce the amount of random
> cyclically needed? Write a script to query random.org? Invest $BIGBUCKS
> to purchase expensive TRNG-Hardware? Use /dev/urandom instead? o.O
There are other solutions too - you could for example create a large random
stream based on a single piece of high quality random. For example, take 256
bits of high quality random and encrypt several gigabytes of /dev/urandom
with it. Take care never to store the 256 bits and you should be good to go.
The entropykey looks pretty good though for a 'no thinking' solution.
Bert
More information about the Pdns-users
mailing list