Mark, It took me a little longer than that: Primary-Name/named:2$~ time /usr/local/bind/sbin/dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n zone example.net Kexample.net.+005+21756
real 144m15.253s user 0m0.088s sys 0m0.008s The random gathering process can only manage 4 or 5 bits per second. The only sources of entropy are the disk and ethernet, which are mostly unused. An identical server that has traffic manages to generate about 1400 bits/second. You might try: time rngtest -c 1 < /dev/random which will tell you how long it takes you to generate 20000 random bits. Enjoy your disorder, Marcus On Thu, Sep 4, 2008 at 10:44 AM, Mark Andrews <[EMAIL PROTECTED]> wrote: > >> It takes me about 85 minutes to generate a 1024 bit key for dnssec. >> I'd like to install a >> random number generator to speed the process up. Do you have any >> suggestions, recommendations or reviews that I might consider? >> >> thanks, >> -Marcus > > Or just ask on a list for your OS on how to properly configure > your /dev/random. > > On a properly configured machine you should be able to > generate multiple 1024 bit keys a second. > > % time dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n zone example.net > Kexample.net.+005+39426 > 0.150u 0.000s 0:00.17 88.2% 476+286k 0+0io 1pf+0w > % > > Mark > >> On Sat, Aug 30, 2008 at 8:17 PM, Mark Andrews <[EMAIL PROTECTED]> wrote: >> > >> >> On Sun, 31 Aug 2008 02:40:36 you wrote: >> >> > > Hello all- >> >> > > >> >> > > The following command- >> >> > > >> >> > > /usr/local/sbin/dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 1024 >> -n >> >> > > ZON E >> >> > > example.com >> >> > > >> >> > > stalls. The system is Slackware Linux 12.1 with kernel 2.6.23-11. >> >> > > >> >> > > Michael >> >> > >> >> > You need to cause the kernel to gather entropy. The way to >> >> > do that is to make the kernel do work. >> >> > >> >> > e.g. >> >> > ls -R / >> >> >> >> While this does increase the entropy to over 3,000, it still doesn't work >> (an >> >> d >> >> the entropy sinks within a few seconds anyway) >> > >> > When generating large keys I just keep running "ls -R /" until the >> > key generation completes. You can also use the keyboard. Install >> > a hardware random number generator and configure the kernel to use >> > it (might require a OS change as I don't know if this is supported >> > under Linux). >> > >> > Mark >> > -- >> > Mark Andrews, ISC >> > 1 Seymour St., Dundas Valley, NSW 2117, Australia >> > PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] >> > >> > >> >> >> >> -- >> Marcus Morgan >> UF/OIT/CNS/NS/S >> [EMAIL PROTECTED] > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] > -- Marcus Morgan UF/OIT/CNS/NS/S [EMAIL PROTECTED]
