2019-07-04 First tests with dnssec show a serious lack of entropy 2 months ago
I was looking at the options for implementing DNSSEC on the domains I have, and started doing this on a domain name that is just used for web redirects, so I won't break anything serious when I make an error. And I am looking at monitoring options at the same time. Looking for usable documentation I found DNSSEC signatures in BIND named - sidn.nl which shows and explains a lot of the options for doing this with bind9, including full automation. I want to take steps I understand, so I will start with careful minimal automation on a domain name that I can 'break'. Following that documentation I created a key-signing key (KSK) and a zone-signing key (ZSK). I used the /etc/bind/keys directory which is the standard location. The first dnssec-signzone action took 54 minutes. After waiting for a bit I started wondering what was happening and it turned out to be a problem with entropy: the signing uses a lot of data from /dev/random. I have the virtio-rng module loaded but the host wasn't making randomness available to the guest operating system. The host server does run randomsound to get more entropy since there is no hardware random number generator available. Documentation on how to 'forward' randomness from the host to the client virtual machine: Random number generator device - Domain XML format So I did some tests with a test virtual machine with a similar configuration. The results:
Installing haveged which gathers entropy from hardware processes fixes the whole problem. Now to implement the same settings for the virtual machine running the production nameserver and I'll be able to take the next step.
- Just software kernel rng in the virtual machine: 54 minutes.
- Offering virtio-rng randomness from the host from /dev/urandom running randomsound: less than 1 second.
- Offering virtio-rng randomness from the host from /dev/random running randomsound: 11 minutes 10 seconds.
- Offering virtio-rng randomness from the host from /dev/random running randomsound and haveged: less than 1 second.