RE: Question about message "your system is lacking dev/random (or equivalent)"

Mon, 19 Apr 2010 03:04:25 -0700 

I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and /dev/urandom.

# odmget CuDvDr | grep -p random
CuDvDr:
        resource = "ddins"
        value1 = "random"
        value2 = "34"
        value3 = ""

crw-r--r--    1 root     system       34,  0 Feb 26 2009  random
crw-r--r--    1 root     system       34,  1 Feb 26 2009  urandom

I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of DNS servers 
are running with no problem. The other 2 show error in the dnssec log:

13-Apr-2010 15:17:17.122 dnssec: debug 3:   validating @202be918:  
 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset  
 (keyid=47948): You must use the keyboard to create entropy, since  
 your system is lacking
 /dev/random (or equivalent)

Linh Khuu
-----Original Message-----
From: Warren Kumari [mailto:war...@kumari.net] 
Sent: Tuesday, April 13, 2010 3:43 PM
To: Khuu, Linh MicroTech
Cc: 'bind-users@lists.isc.org'
Subject: Re: Question about message "your system is lacking dev/random (or 
equivalent)"


On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote:

> I just turned on the dnssec-validation today, and I saw lots of  
> messages:
>
> 13-Apr-2010 15:17:17.122 dnssec: debug 3:   validating @202be918:  
> 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset  
> (keyid=47948): You must use the keyboard to create entropy, since  
> your system is lacking
> /dev/random (or equivalent)
>
> 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638:  
> usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the  
> keyboard to create entropy, since your system is lacking
> /dev/random (or equivalent)
>
> 13-Apr-2010 15:26:37.385 dnssec: debug 3:   validating @202c0e28:  
> usps.gov SOA: verify rdataset (keyid=43133): You must use the  
> keyboard to create entropy, since your system is lacking
> /dev/random (or equivalent)
>
> Is this a problem with dnssec on my DNS server?

Did you build BIND yourself? When BIND starts does it log anything  
like: "--with-randomdev=<something>"?
What operating system, etc? You haven't really provided very much  
useful information in your question...

DNSSEC needs entropy for signing -- it believes that your system does  
not provide a useful source of entropy (do you have a /dev/random?)  
and so it want you to add some. This is not a BIND problem, it is an  
OS (or more likely configuration issue).

W




>
> Linh Khuu
> Network Security Specialist
> MicroTech ESS Contract
> Office: 410-966-0798
> Pager: 410-232-2350
> Email: linh.k...@ssa.gov
>
>
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
If the bad guys have copies of your MD5 passwords, then you have way  
bigger problems than the bad guys having copies of your MD5 passwords.
-- Richard A Steenbergen

Attachment: PGP.sig
Description: PGP signature

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to