## Doug Barton (do...@dougbarton.us): > If you don't have enough random bits on your system to run these simple > tests, your /dev/random is seriously underpopulated, and likely a > security risk. You should definitely not put BIND in production compiled > with the option you mention above.
Our build/test environment is not our production environment. Further, the ideas about "random numbers for practical purposes" have shifted a bit. In short, you don't really need "high real entropy", but a stream of numbers *unpredictable to the adversary*. See: http://www.metzdowd.com/pipermail/cryptography/2014-February/019920.html http://blog.cr.yp.to/20140205-entropy.html http://iang.org/ssl/hard_truths_hard_random_numbers.html In fact, on systems like FreeBSD you never get to see the "entropy" directly, you only get the output of a PRNG (yarrow in this case), which is periodically reseeded with "real entropy". Even linux ranodm(4) suggests to use /dev/urandom in most cases, as frequent reads on /dev/random will deplete the entropy pool and make /dev/random unusuable for those who really need it. Regards, Christoph -- Spare Space _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
