[Pdns-users] Random (was: When to do a key rollover?)

Posner, Sebastian s.posner at telekom.de
Wed May 11 19:11:03 UTC 2011 

bert hubert wrote:

> > Perhaps a question for everybody.. How do make yure you have enough
> > *good* random for (frequent) key generation for (many) different
> > zones?
> 
> I've heard good things about http://www.entropykey.co.uk/ . 
> This is a sort of halfway solution - I'd not suggest just using 
> /dev/urandom afterwards for state secrets ;-) but it looks pretty good.
> 
> I just ordered one to find out.

Looks interesting indeed; but one should care to use a case-internal
non-hotplug-accessible USB-port for it; otherwise it would be a perfect
hardware-DOS on the nameserver..

> > Same KSK/ZSK for all deployed zones to reduce the amount of 
> > random cyclically needed? Write a script to query random.org? 
> > Invest $BIGBUCKS to purchase expensive TRNG-Hardware? 
> > Use /dev/urandom instead? o.O
> 
> There are other solutions too - you could for example create a 
> large random stream based on a single piece of high quality random. 
> For example, take 256 bits of high quality random and encrypt several 
> gigabytes of /dev/urandom with it. Take care never to store the 256 
> bits and you should be good to go.

Memories, please come back..! xD 
I had a discussion on this topic some time ago (this question 
keeps turning my mind) with a friend of mine; he's just working 
on his PhD on a random-heavy subject, and we spent quite a time
discussing (or me listening to him^^) how or how not to improve
the quality of given random; but the bottom-line slipped my mind -.-




And I completely forgot to elaborate on the possibilities that
came to my mind for this..^^

One good thing was the Intel 80802 firmware hub; part of the 
840-series Intel PIII-chipset, which included a TRNG using 
thermal noise. Sadly; this wasn't continued in later models.

A DIY-Idea was integrating a sound card into the server and
connect a mistuned radio to the audio-in to use this static 
noise for random.


The idea currently in evaluation is using smaller players for 
server-hardware: Since 2003, VIA develops the PadLock security 
engine, which includes an on-chip-TRNG in the processor-die 
which generates thermal noise based random at quite a high rate.
And this is included in almost any given VIA-CPU since then.

So, next to all the AMD and Intel-driven HP, Dell, IBM and
other bolides in the server-room, soon there might one or
two noname VIA-powered machines ;)

The linux-kernel already supports this TRNG; you only need
to load the via_rng-module. The only drawback: This module
doesn't fill /dev/random but uses /dev/hwrandom; that's why I
asked for changing pdns' source of random.

Sebastian
-- 
baboo

More information about the Pdns-users mailing list