Re: DNSSEC Generating Zone Key hanging
On Sat, 2012-04-21 at 20:28 -0400, Bill Owens wrote: On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote: Hello, I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com I straced the process and noticed the following messages write(2, Generating key pair., 20Generating key pair.)= 20 gettimeofday({1335044641, 756413}, NULL) = 0 read(3, s\2161\363\364\1s1\343\311\212\1, 64) = 13 read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) read(3, p\32\254\352$\264:\22, 51)= 8 read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) read(3, \370\270\363IE\342X\343, 43) = 8 read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) My machine is a virtual host, does anyone have any ideas what resource is temporarily unavailable. /dev/random - VMs, with no keyboard or mouse, don't accumulate enough entropy to keep /dev/random full. Installing haveged would probably help; or consider generating keys on a machine with a decent amount of entropy and securely moving them to your VM. Bill. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Yes - lack of Entropy, try... if=/dev/random of=/dev/null bs=128 count=1 ... a few times. Check your entropy levels cat /proc/sys/kernel/random/entropy_avail The package haveged does a very reasonable job - I found a description of it at: www.irisa.fr/caps/projects/hipsor or you can buy a hardware entropy source (USB dongle like device) -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC Generating Zone Key hanging
I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dnssec/) by a frequent poster to this forum. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
Thanks a lot, I have now resolved this issue. However, I was following the DNSSEC in 6 minutes guide [1] for learning purposes and I have followed all the steps up to you are now serving DNSSEC signed zones. However, I seem to be getting the following errors Apr 22 15:22:43 darkstar named[29917]: zone theunsupported.co.uk.signed/IN/trusted: sending notifies (serial 2012031202) Apr 22 15:22:43 darkstar named[29917]: zone theunsupported.co.uk.signed/IN/global: sending notifies (serial 2012031202) Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk/A/IN': 50.56.249.94#53 Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk/A/IN': 50.56.249.94#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk//IN': 50.56.249.94#53 Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk//IN': 50.56.249.94#53 When I use the signed zone my views also seem to break... Any idea on this? [1] http://www.isc.org/files/DNSSEC_in_6_minutes.pdf On 22 April 2012 12:40, Spain, Dr. Jeffry A. spa...@countryday.net wrote: I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dnssec/) by a frequent poster to this forum. Jeffry A. Spain Network Administrator Cincinnati Country Day School -- Regards, Damian Myerscough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote: Thanks a lot, I have now resolved this issue. However, I was following the DNSSEC in 6 minutes guide [1] for learning purposes and I have followed all the steps up to you are now serving DNSSEC signed zones. Reading the presentation - which dates itself Slide 16, rather use dnsseckeygen -a RSASHA256 -b 1024 -n ZONE zonename (for ZSK) Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048 bits for the KSK. This avoids you having to do an algorithm rollover - which is a royal pain in the proverbial. Its also what the 'root' uses. ('dig @i.root-servers.net. . dnskey' gives: 'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8') The '8' part is algo RSASHA256, you probably have a '5' there. -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
Thanks for your help, I noticed a small regex which modified my configuration file thus causing errors. On 22 April 2012 17:03, Mark Elkins m...@posix.co.za wrote: On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote: Thanks a lot, I have now resolved this issue. However, I was following the DNSSEC in 6 minutes guide [1] for learning purposes and I have followed all the steps up to you are now serving DNSSEC signed zones. Reading the presentation - which dates itself Slide 16, rather use dnsseckeygen -a RSASHA256 -b 1024 -n ZONE zonename (for ZSK) Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048 bits for the KSK. This avoids you having to do an algorithm rollover - which is a royal pain in the proverbial. Its also what the 'root' uses. ('dig @i.root-servers.net. . dnskey' gives: 'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8') The '8' part is algo RSASHA256, you probably have a '5' there. -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Regards, Damian Myerscough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC Generating Zone Key hanging
Hello, I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com I straced the process and noticed the following messages write(2, Generating key pair., 20Generating key pair.)= 20 gettimeofday({1335044641, 756413}, NULL) = 0 read(3, s\2161\363\364\1s1\343\311\212\1, 64) = 13 read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) read(3, p\32\254\352$\264:\22, 51)= 8 read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) read(3, \370\270\363IE\342X\343, 43) = 8 read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) My machine is a virtual host, does anyone have any ideas what resource is temporarily unavailable. -- Regards, Damian Myerscough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote: Hello, I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com I straced the process and noticed the following messages write(2, Generating key pair., 20Generating key pair.)= 20 gettimeofday({1335044641, 756413}, NULL) = 0 read(3, s\2161\363\364\1s1\343\311\212\1, 64) = 13 read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) read(3, p\32\254\352$\264:\22, 51)= 8 read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) read(3, \370\270\363IE\342X\343, 43) = 8 read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) My machine is a virtual host, does anyone have any ideas what resource is temporarily unavailable. /dev/random - VMs, with no keyboard or mouse, don't accumulate enough entropy to keep /dev/random full. Installing haveged would probably help; or consider generating keys on a machine with a decent amount of entropy and securely moving them to your VM. Bill. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users