can't generate key via dnssec-keygen
By default, dnsec-keygen
uses /dev/random
- the generation is slow, so much more in less busy systems.
One of the alternatives is trying to make the system more busy running more processes in the background. It will be still a bit slow, but less slow. Virtual machines are usually less impacted in entropy when using more I/O.
Other alternative is using /dev/urandom
. /dev/urandom
is a pseudo-random generator, but unless you are booting the system, should be random enough for your needs.
I advise then to use instead /dev/urandom
as source, adding to your command -r /dev/urandom
as in:
dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST {host}
For more, please read:
Bug 1025554 - generating keys using dnssec-keygen is very slow
As ran by @ceph3us after using the -r /dev/urandom
parameter,
$ dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST {host}
keys generation time:
real 0m0.033s
user 0m0.028s
sys 0m0.004s
Related videos on Youtube
ceph3us
Driven by desire, I found the quality of awareness I thought I was pretty aware years ago... You know - well educated, big student (of) science, metaphysics all my life, studied different religions and so forth. but I hit a brick wall eventually..., in terms of what my intellect would do and I really had no frame of reference. but I was seeking ... i was one of those people in life who was always searching. And the big surprise for me was the experience of awareness that really knows that there's a presence within you - that you can rely on, that you can take solace in, that you can take comfort in, that gives you a well spring of love, that lets you know that you don't have to seek for the things that we're taught to seek for outside of yourself. As all the masters said, the kingdom really is within.
Updated on September 18, 2022Comments
-
ceph3us almost 2 years
$ dnssec-keygen -a HMAC-MD5 -b 512 -n HOST {host}
above results in blank line and endless waiting
$ dnssec-keygen -T DNSKEY -a HMAC-MD5 -b 512 -n HOST {host}
the same
entropy:
$ cat /proc/sys/kernel/random/entropy_avail 890
ps. I was trying to make some noise by find / but that brought no result
-
ceph3us about 8 years@RuiFRibeiro - have occasion to ask what key do you propose to use to change dns entry - as i want to make an dynamic changes from my client (host) as i got dynamic ip on home and vps wih dns ( and i want to be sure that this is secure enought - is there a way for me to use my key on pkcs11 device ? )
-
ceph3us about 8 years@RuiFRibeiro mean that on PKCS11 ii have ECC private/public keys and certificates - i like to reuse them as i do on http server or java apps
-
ceph3us about 8 yearsLet us continue this discussion in chat.
-
-
xer0x over 6 yearsThe
-r /dev/urandom
needs to go at the front of the parameters. I tried the first example and it failed on my install. -
KaiserKatze about 5 yearsUPDATE: Executing
dnssec-keygen
(Version: 9.14.2) with-r
option will produce the following error:dnssec-keygen: fatal: The -r option has been deprecated. System random data is always used.
-
Rui F Ribeiro about 5 years@KaiserKatze Good to know that after 3 years they have fixed it on the code. Interesting, thanks for the heads up.
-
KaiserKatze about 5 years@RuiFRibeiro you're welcome, sir. btw HMAC algorithm is removed from
dnssec-keygen
, come and take a look at my post here