can't generate key via dnssec-keygen

bind dnssec

5,700

By default, dnsec-keygen uses /dev/random - the generation is slow, so much more in less busy systems.

One of the alternatives is trying to make the system more busy running more processes in the background. It will be still a bit slow, but less slow. Virtual machines are usually less impacted in entropy when using more I/O.

Other alternative is using /dev/urandom. /dev/urandom is a pseudo-random generator, but unless you are booting the system, should be random enough for your needs.

I advise then to use instead /dev/urandom as source, adding to your command -r /dev/urandom as in:

dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST {host}

For more, please read:

Bug 1025554 - generating keys using dnssec-keygen is very slow

As ran by @ceph3us after using the -r /dev/urandom parameter,

$ dnssec-keygen  -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST  {host}

keys generation time:

real 0m0.033s 
user 0m0.028s 
sys 0m0.004s

5,700

ceph3us

Driven by desire, I found the quality of awareness I thought I was pretty aware years ago... You know - well educated, big student (of) science, metaphysics all my life, studied different religions and so forth. but I hit a brick wall eventually..., in terms of what my intellect would do and I really had no frame of reference. but I was seeking ... i was one of those people in life who was always searching. And the big surprise for me was the experience of awareness that really knows that there's a presence within you - that you can rely on, that you can take solace in, that you can take comfort in, that gives you a well spring of love, that lets you know that you don't have to seek for the things that we're taught to seek for outside of yourself. As all the masters said, the kingdom really is within.

Updated on September 18, 2022

Comments

ceph3us almost 2 years
```
 $ dnssec-keygen -a HMAC-MD5 -b 512 -n HOST  {host}
```
above results in blank line and endless waiting
```
 $ dnssec-keygen -T DNSKEY -a HMAC-MD5 -b 512 -n HOST  {host}
```
the same

entropy:
```
$ cat /proc/sys/kernel/random/entropy_avail 
890
```
ps. I was trying to make some noise by find / but that brought no result
- ceph3us about 8 years
  
  @RuiFRibeiro - have occasion to ask what key do you propose to use to change dns entry - as i want to make an dynamic changes from my client (host) as i got dynamic ip on home and vps wih dns ( and i want to be sure that this is secure enought - is there a way for me to use my key on pkcs11 device ? )
- ceph3us about 8 years
  
  @RuiFRibeiro mean that on PKCS11 ii have ECC private/public keys and certificates - i like to reuse them as i do on http server or java apps
- ceph3us about 8 years
  
  Let us continue this discussion in chat.
xer0x over 6 years

The -r /dev/urandom needs to go at the front of the parameters. I tried the first example and it failed on my install.
KaiserKatze about 5 years

UPDATE: Executing dnssec-keygen (Version: 9.14.2) with -r option will produce the following error: dnssec-keygen: fatal: The -r option has been deprecated. System random data is always used.
Rui F Ribeiro about 5 years

@KaiserKatze Good to know that after 3 years they have fixed it on the code. Interesting, thanks for the heads up.
KaiserKatze about 5 years

@RuiFRibeiro you're welcome, sir. btw HMAC algorithm is removed from dnssec-keygen, come and take a look at my post here