Ubuntu
bind9 package

dnssec-keygen takes forever to generate a keyfile

Bug #963368 reported by Vasya Pupkin
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

A command `dnssec-keygen -f KSK example.com` took more than 30 hours to complete on my system. It's not something anyone would expect from a simple keyfile generation utility.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: bind9 1:9.7.0.dfsg.P1-1ubuntu0.4
ProcVersionSignature: Ubuntu 2.6.32-39.86-generic-pae 2.6.32.56+drm33.22
Uname: Linux 2.6.32-39-generic-pae i686
Architecture: i386
Date: Fri Mar 23 23:02:42 2012
InstallationMedia: Ubuntu-Server 10.04.3 LTS "Lucid Lynx" - Release i386 (20110719.2)
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: bind9

Revision history for this message
Vasya Pupkin (shadowlmd) wrote :
James Page (james-page)
Changed in bind9 (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bind9 (Ubuntu):
status: New → Confirmed
Revision history for this message
Alexander Gurvitz (0k53dmx9cig8cqkasqs0vqz-alex-f830mk0e7z07dk74sm41k1n) wrote :

It is NOT a bug.

In order to generate SECURE keys, dnssec-keygen reads /dev/random, which will block until there's enough entropy available on your system. Some systems have very little entropy and thus dnssec-keygen may take forever.

Possible solutions:
1. apt-get install haveged
haveged daemon supplies lots of entropy to /dev/random.

2. dnssec-keygen -r /dev/urandom
Will use "non-blocking" pseudo-random device (lower security).

3. Move mouse and tap on keyboard - kernel uses this as entropy source.

4. Buy a hardware entropy device.

Changed in bind9 (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.