BIND 9's entropy consumption

Wed, 02 Apr 2014 14:46:22 -0700 

Hi!

I have 4 DNS servers all running BIND 9.8.2 (the CentOS 6.5 package).  One
is configured as the master for about 100 zones.  The other 3 are slaves
for those 100 zones.  On the master the amount of entropy reported by "cat
/proc/sys/kernel/random/entropy_avail" was around 150.  On the slaves it
hovered around 90.

Is there a technical reason for the difference?

There is a graph of one of the slaves here:
http://serverfault.com/questions/582908/entropy-deprivation-on-bind-named-servers

Note: I've since enabled "rngd" and the available entropy hovers around 2k.
 So there problem is "solved" that way, but it still makes me very
concerned that the amount of entropy in use was so different.  There is no
DNSSEC configured, no incremenal zone transfers (just notifications sent
from the master to all slaves).

Anyone have any theories on why this might be?

Thanks in advance,
Tom


The specific version is:

# named -V
BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 built with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=
-DDIG_SIGCHASE'
using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.7.6

-- 
Email: t...@whatexit.org    Work: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to