On Wed, May 11, 2011 at 08:19:01PM +0200, Posner, Sebastian wrote: > > Otherwise, create a fresh and immediately active key > > If the active ZSK will expire soon, create a spare key > > These last two lines implicate another question: Is there any > possibility to influence the source of random used by pdns to create keys?
Hmm, no. This is because right now you can use many engines to create a key, and each has different ways of gathering random. For PowerDNS itself, you could use the 'entropy-source' setting. Another solution is to create keys using an external tool and use pdnssec import-zone-key. > Perhaps a question for everybody.. How do make yure you have enough > *good* random for (frequent) key generation for (many) different zones? I've heard good things about http://www.entropykey.co.uk/ . This is a sort of halfway solution - I'd not suggest just using /dev/urandom afterwards for state secrets ;-) but it looks pretty good. I just ordered one to find out. > Same KSK/ZSK for all deployed zones to reduce the amount of random > cyclically needed? Write a script to query random.org? Invest $BIGBUCKS > to purchase expensive TRNG-Hardware? Use /dev/urandom instead? o.O There are other solutions too - you could for example create a large random stream based on a single piece of high quality random. For example, take 256 bits of high quality random and encrypt several gigabytes of /dev/urandom with it. Take care never to store the 256 bits and you should be good to go. The entropykey looks pretty good though for a 'no thinking' solution. Bert _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users