Ubuntu
bind9 package

dnssec-keygen hangs

Bug #650721 reported by Mark Sobell
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Binary package hint: bind9

I am running under vmware. The following command never completes. ps shows no cpu time.

/usr/sbin/dnssec-keygen -a HMAC-MD5 -b 512 -n HOST keyname

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: bind9utils 1:9.7.1.dfsg.P2-2
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic i686
Architecture: i386
Date: Tue Sep 28 16:19:18 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Beta i386 (20100901.1)
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: bind9

Revision history for this message
Mark Sobell (mark-sobell) wrote :
Revision history for this message
Thierry Carrez (ttx) wrote :

I think it's rather really slow to complete. It probably gathers entropy and VMs are notoriously bad at this. Does generating artificial i/o activity helps in solving that ?

Changed in bind9 (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Mark Sobell (mark-sobell) wrote : Re: [Bug 650721] Re: dnssec-keygen hangs

Very good, thanks!
I ran rsync on / and the command completed almost
immediately.
I will put a note in my book to that effect.

--
  Mark

On Wednesday, September 29, 2010 07:37:45 am you wrote:
> I think it's rather really slow to complete. It probably
> gathers entropy and VMs are notoriously bad at this.
> Does generating artificial i/o activity helps in solving
> that ?
>
> ** Changed in: bind9 (Ubuntu)
> Importance: Undecided => Low
>
> ** Changed in: bind9 (Ubuntu)
> Status: New => Incomplete

Thierry Carrez (ttx)
Changed in bind9 (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Anders Stenberg (anders-stenberg) wrote :

Another way to get faster keys in vmware:
use ``/dev/urandom´´ for entropy. ``/dev/urandom´´ gives lot av data.

dnssec-keygen -r /dev/urandom -a RSASHA1 -b 4096 -n ZONE -f KSK zonename

You should know that ``/dev/random´´ is a more great noise pattern than ``/dev/urandom´´. In theory /dev/random to provide a better securitylevel. But in practice, I have not seen any evidence of it's true.

Good luck / Anders.

Revision history for this message
JaccoH (jacco) wrote :

urandom is just as bad without entropy. You best use haveged. Perhaps it should be a dependency?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.