A few things to try:
1: Make sure that /dev/urandom is actually doing something:
dd if=/dev/urandom bs=1k count=1 | strings
2: You might want to try the same thing on /dev/random, but you will
(probably) get way way less output -- you might want to look into
seeing if your machines has a hardware entropy source and can / does
expose it somewhere -- you can also investigate adding a hardware
random source. From a quick look online, AIX is much more restrictive
about its entropy sources, but you should be able to run a daemon that
adds entropy.
You should also see where BIIND believes it should suck randomness
from -- it will log this when it starts, mine looks like:
Mar 21 17:43:09 lisa named[27159]: starting BIND 9.7.0-P1 -u bind -t /
chroot/named -c /etc/bind/named.conf
Mar 21 17:43:09 lisa named[27159]: built with '--with-openssl=yes' '--
with-randomdev=/dev/urandom'
Mar 21 17:43:09 lisa named[27159]: using up to 4096 sockets
W
On Apr 19, 2010, at 5:59 AM, Khuu, Linh MicroTech wrote:
I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and /
dev/urandom.
# odmget CuDvDr | grep -p random
CuDvDr:
resource = "ddins"
value1 = "random"
value2 = "34"
value3 = ""
crw-r--r-- 1 root system 34, 0 Feb 26 2009 random
crw-r--r-- 1 root system 34, 1 Feb 26 2009 urandom
I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of
DNS servers are running with no problem. The other 2 show error in
the dnssec log:
13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918:
3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset
(keyid=47948): You must use the keyboard to create entropy, since
your system is lacking
/dev/random (or equivalent)
Linh Khuu
-----Original Message-----
From: Warren Kumari [mailto:war...@kumari.net]
Sent: Tuesday, April 13, 2010 3:43 PM
To: Khuu, Linh MicroTech
Cc: 'bind-users@lists.isc.org'
Subject: Re: Question about message "your system is lacking dev/
random (or equivalent)"
On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote:
I just turned on the dnssec-validation today, and I saw lots of
messages:
13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918:
3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset
(keyid=47948): You must use the keyboard to create entropy, since
your system is lacking
/dev/random (or equivalent)
13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638:
usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the
keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)
13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28:
usps.gov SOA: verify rdataset (keyid=43133): You must use the
keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)
Is this a problem with dnssec on my DNS server?
Did you build BIND yourself? When BIND starts does it log anything
like: "--with-randomdev=<something>"?
What operating system, etc? You haven't really provided very much
useful information in your question...
DNSSEC needs entropy for signing -- it believes that your system does
not provide a useful source of entropy (do you have a /dev/random?)
and so it want you to add some. This is not a BIND problem, it is an
OS (or more likely configuration issue).
W
Linh Khuu
Network Security Specialist
MicroTech ESS Contract
Office: 410-966-0798
Pager: 410-232-2350
Email: linh.k...@ssa.gov
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
If the bad guys have copies of your MD5 passwords, then you have way
bigger problems than the bad guys having copies of your MD5 passwords.
-- Richard A Steenbergen
--
"Beware that the most effective way for someone to decrypt your data
may be with rubber hose." --- SSH 1.2.12 README
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
