Re: [Pdns-users] Random (was: When to do a key rollover?)
bert hubert wrote: > > Perhaps a question for everybody.. How do make yure you have enough > > *good* random for (frequent) key generation for (many) different > > zones? > > I've heard good things about http://www.entropykey.co.uk/ . > This is a sort of halfway solution - I'd not suggest just using > /dev/urandom afterwards for state secrets ;-) but it looks pretty good. > > I just ordered one to find out. Looks interesting indeed; but one should care to use a case-internal non-hotplug-accessible USB-port for it; otherwise it would be a perfect hardware-DOS on the nameserver.. > > Same KSK/ZSK for all deployed zones to reduce the amount of > > random cyclically needed? Write a script to query random.org? > > Invest $BIGBUCKS to purchase expensive TRNG-Hardware? > > Use /dev/urandom instead? o.O > > There are other solutions too - you could for example create a > large random stream based on a single piece of high quality random. > For example, take 256 bits of high quality random and encrypt several > gigabytes of /dev/urandom with it. Take care never to store the 256 > bits and you should be good to go. Memories, please come back..! xD I had a discussion on this topic some time ago (this question keeps turning my mind) with a friend of mine; he's just working on his PhD on a random-heavy subject, and we spent quite a time discussing (or me listening to him^^) how or how not to improve the quality of given random; but the bottom-line slipped my mind -.- And I completely forgot to elaborate on the possibilities that came to my mind for this..^^ One good thing was the Intel 80802 firmware hub; part of the 840-series Intel PIII-chipset, which included a TRNG using thermal noise. Sadly; this wasn't continued in later models. A DIY-Idea was integrating a sound card into the server and connect a mistuned radio to the audio-in to use this static noise for random. The idea currently in evaluation is using smaller players for server-hardware: Since 2003, VIA develops the PadLock security engine, which includes an on-chip-TRNG in the processor-die which generates thermal noise based random at quite a high rate. And this is included in almost any given VIA-CPU since then. So, next to all the AMD and Intel-driven HP, Dell, IBM and other bolides in the server-room, soon there might one or two noname VIA-powered machines ;) The linux-kernel already supports this TRNG; you only need to load the via_rng-module. The only drawback: This module doesn't fill /dev/random but uses /dev/hwrandom; that's why I asked for changing pdns' source of random. Sebastian -- baboo ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Random (was: When to do a key rollover?)
On Wed, May 11, 2011 at 08:19:01PM +0200, Posner, Sebastian wrote: > >Otherwise, create a fresh and immediately active key > > If the active ZSK will expire soon, create a spare key > > These last two lines implicate another question: Is there any > possibility to influence the source of random used by pdns to create keys? Hmm, no. This is because right now you can use many engines to create a key, and each has different ways of gathering random. For PowerDNS itself, you could use the 'entropy-source' setting. Another solution is to create keys using an external tool and use pdnssec import-zone-key. > Perhaps a question for everybody.. How do make yure you have enough > *good* random for (frequent) key generation for (many) different zones? I've heard good things about http://www.entropykey.co.uk/ . This is a sort of halfway solution - I'd not suggest just using /dev/urandom afterwards for state secrets ;-) but it looks pretty good. I just ordered one to find out. > Same KSK/ZSK for all deployed zones to reduce the amount of random > cyclically needed? Write a script to query random.org? Invest $BIGBUCKS > to purchase expensive TRNG-Hardware? Use /dev/urandom instead? o.O There are other solutions too - you could for example create a large random stream based on a single piece of high quality random. For example, take 256 bits of high quality random and encrypt several gigabytes of /dev/urandom with it. Take care never to store the 256 bits and you should be good to go. The entropykey looks pretty good though for a 'no thinking' solution. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Random (was: When to do a key rollover?)
Maik Zumstrull wrote: [key rollover] > The basic logic per zone is: > > Disable any expired ZSKs > Make sure there is an active ZSK >If we already have a fresh spare key, enable it >Otherwise, create a fresh and immediately active key > If the active ZSK will expire soon, create a spare key These last two lines implicate another question: Is there any possibility to influence the source of random used by pdns to create keys? On a server, typically there is not much in /dev/random as there are typically no user interactions, and if you issue a hidden primary for DNSSECing your zones there is even less IO or other random things that happen on machines to fill the pool. Perhaps a question for everybody.. How do make yure you have enough *good* random for (frequent) key generation for (many) different zones? Same KSK/ZSK for all deployed zones to reduce the amount of random cyclically needed? Write a script to query random.org? Invest $BIGBUCKS to purchase expensive TRNG-Hardware? Use /dev/urandom instead? o.O Sebastian -- baboo ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
