[Pdns-users] Random (was: When to do a key rollover?)
s.posner at telekom.de
Wed May 11 19:11:03 UTC 2011
bert hubert wrote:
> > Perhaps a question for everybody.. How do make yure you have enough
> > *good* random for (frequent) key generation for (many) different
> > zones?
> I've heard good things about http://www.entropykey.co.uk/ .
> This is a sort of halfway solution - I'd not suggest just using
> /dev/urandom afterwards for state secrets ;-) but it looks pretty good.
> I just ordered one to find out.
Looks interesting indeed; but one should care to use a case-internal
non-hotplug-accessible USB-port for it; otherwise it would be a perfect
hardware-DOS on the nameserver..
> > Same KSK/ZSK for all deployed zones to reduce the amount of
> > random cyclically needed? Write a script to query random.org?
> > Invest $BIGBUCKS to purchase expensive TRNG-Hardware?
> > Use /dev/urandom instead? o.O
> There are other solutions too - you could for example create a
> large random stream based on a single piece of high quality random.
> For example, take 256 bits of high quality random and encrypt several
> gigabytes of /dev/urandom with it. Take care never to store the 256
> bits and you should be good to go.
Memories, please come back..! xD
I had a discussion on this topic some time ago (this question
keeps turning my mind) with a friend of mine; he's just working
on his PhD on a random-heavy subject, and we spent quite a time
discussing (or me listening to him^^) how or how not to improve
the quality of given random; but the bottom-line slipped my mind -.-
And I completely forgot to elaborate on the possibilities that
came to my mind for this..^^
One good thing was the Intel 80802 firmware hub; part of the
840-series Intel PIII-chipset, which included a TRNG using
thermal noise. Sadly; this wasn't continued in later models.
A DIY-Idea was integrating a sound card into the server and
connect a mistuned radio to the audio-in to use this static
noise for random.
The idea currently in evaluation is using smaller players for
server-hardware: Since 2003, VIA develops the PadLock security
engine, which includes an on-chip-TRNG in the processor-die
which generates thermal noise based random at quite a high rate.
And this is included in almost any given VIA-CPU since then.
So, next to all the AMD and Intel-driven HP, Dell, IBM and
other bolides in the server-room, soon there might one or
two noname VIA-powered machines ;)
The linux-kernel already supports this TRNG; you only need
to load the via_rng-module. The only drawback: This module
doesn't fill /dev/random but uses /dev/hwrandom; that's why I
asked for changing pdns' source of random.
More information about the Pdns-users