Re: DNSSEC Generating Zone Key hanging
On Sat, 2012-04-21 at 20:28 -0400, Bill Owens wrote:
On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote:
Hello,
I was setting up BIND DNSSEC and when I issue the following command the
process never finishes.
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
I straced the process and noticed the following messages
write(2, Generating key pair., 20Generating key pair.)= 20
gettimeofday({1335044641, 756413}, NULL) = 0
read(3, s\2161\363\364\1s1\343\311\212\1, 64) = 13
read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], [], NULL, NULL) = 1 (in [3])
read(3, p\32\254\352$\264:\22, 51)= 8
read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], [], NULL, NULL) = 1 (in [3])
read(3, \370\270\363IE\342X\343, 43) = 8
read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], [], NULL, NULL) = 1 (in [3])
My machine is a virtual host, does anyone have any ideas what resource is
temporarily unavailable.
/dev/random - VMs, with no keyboard or mouse, don't accumulate enough
entropy to keep /dev/random full. Installing haveged would probably
help; or consider generating keys on a machine with a decent amount of
entropy and securely moving them to your VM.
Bill.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Yes - lack of Entropy, try...
if=/dev/random of=/dev/null bs=128 count=1
... a few times.
Check your entropy levels
cat /proc/sys/kernel/random/entropy_avail
The package haveged does a very reasonable job - I found a description
of it at: www.irisa.fr/caps/projects/hipsor
or you can buy a hardware entropy source (USB dongle like device)
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC Generating Zone Key hanging
I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dnssec/) by a frequent poster to this forum. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
Thanks a lot, I have now resolved this issue. However, I was following the DNSSEC in 6 minutes guide [1] for learning purposes and I have followed all the steps up to you are now serving DNSSEC signed zones. However, I seem to be getting the following errors Apr 22 15:22:43 darkstar named[29917]: zone theunsupported.co.uk.signed/IN/trusted: sending notifies (serial 2012031202) Apr 22 15:22:43 darkstar named[29917]: zone theunsupported.co.uk.signed/IN/global: sending notifies (serial 2012031202) Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk/A/IN': 50.56.249.94#53 Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk/A/IN': 50.56.249.94#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk//IN': 50.56.249.94#53 Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk//IN': 50.56.249.94#53 When I use the signed zone my views also seem to break... Any idea on this? [1] http://www.isc.org/files/DNSSEC_in_6_minutes.pdf On 22 April 2012 12:40, Spain, Dr. Jeffry A. spa...@countryday.net wrote: I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dnssec/) by a frequent poster to this forum. Jeffry A. Spain Network Administrator Cincinnati Country Day School -- Regards, Damian Myerscough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote:
Thanks a lot, I have now resolved this issue. However, I was following
the DNSSEC in 6 minutes guide [1]
for learning purposes and I have followed all the steps up to you are
now serving DNSSEC signed zones.
Reading the presentation - which dates itself
Slide 16, rather use
dnsseckeygen -a RSASHA256 -b 1024 -n ZONE zonename (for ZSK)
Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048
bits for the KSK.
This avoids you having to do an algorithm rollover - which is a royal
pain in the proverbial. Its also what the 'root' uses.
('dig @i.root-servers.net. . dnskey' gives:
'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8')
The '8' part is algo RSASHA256, you probably have a '5' there.
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
Thanks for your help, I noticed a small regex which modified my
configuration file thus causing errors.
On 22 April 2012 17:03, Mark Elkins m...@posix.co.za wrote:
On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote:
Thanks a lot, I have now resolved this issue. However, I was following
the DNSSEC in 6 minutes guide [1]
for learning purposes and I have followed all the steps up to you are
now serving DNSSEC signed zones.
Reading the presentation - which dates itself
Slide 16, rather use
dnsseckeygen -a RSASHA256 -b 1024 -n ZONE zonename (for ZSK)
Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048
bits for the KSK.
This avoids you having to do an algorithm rollover - which is a royal
pain in the proverbial. Its also what the 'root' uses.
('dig @i.root-servers.net. . dnskey' gives:
'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8')
The '8' part is algo RSASHA256, you probably have a '5' there.
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Regards,
Damian Myerscough
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC Generating Zone Key hanging
Hello,
I was setting up BIND DNSSEC and when I issue the following command the
process never finishes.
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
I straced the process and noticed the following messages
write(2, Generating key pair., 20Generating key pair.)= 20
gettimeofday({1335044641, 756413}, NULL) = 0
read(3, s\2161\363\364\1s1\343\311\212\1, 64) = 13
read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], [], NULL, NULL) = 1 (in [3])
read(3, p\32\254\352$\264:\22, 51)= 8
read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], [], NULL, NULL) = 1 (in [3])
read(3, \370\270\363IE\342X\343, 43) = 8
read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], [], NULL, NULL) = 1 (in [3])
My machine is a virtual host, does anyone have any ideas what resource is
temporarily unavailable.
--
Regards,
Damian Myerscough
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote:
Hello,
I was setting up BIND DNSSEC and when I issue the following command the
process never finishes.
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
I straced the process and noticed the following messages
write(2, Generating key pair., 20Generating key pair.)= 20
gettimeofday({1335044641, 756413}, NULL) = 0
read(3, s\2161\363\364\1s1\343\311\212\1, 64) = 13
read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], [], NULL, NULL) = 1 (in [3])
read(3, p\32\254\352$\264:\22, 51)= 8
read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], [], NULL, NULL) = 1 (in [3])
read(3, \370\270\363IE\342X\343, 43) = 8
read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], [], NULL, NULL) = 1 (in [3])
My machine is a virtual host, does anyone have any ideas what resource is
temporarily unavailable.
/dev/random - VMs, with no keyboard or mouse, don't accumulate enough entropy
to keep /dev/random full. Installing haveged would probably help; or consider
generating keys on a machine with a decent amount of entropy and securely
moving them to your VM.
Bill.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
