The links in this chain of trust are delegation signing records ds rrtype. You can safely just ssh into the system and kill that process to make the domain creation continue. Solved is it normal that dnsseckeygen be this much slow. It can also generate keys for use with tsig transaction. Itd be helpful if you showed us exactly what youre doing. In order to verify your zone, dnssec requires a chain of trust from the root. One of the alternatives is trying to make the system more busy running more processes in the background. Dnssec key management and zone signing ripe network. Dnssec domain name system security extensions is a suite of ietf internet engineering task force specifications for securing certain kinds of information provided by the dns domain name system as used on ip internet protocol networks. In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. If the entropy on your system is low, you wont get enough random data to generate the keys in a timely manner.
Some systems have very little entropy and thus dnsseckeygen may take forever. For dnsseckeygen this can actually be faked, by passing the program a file from which it should consume the random data, but i certainly dont recommend you do that. This hang is probably caused by the dnsseckeygen command taking a long time to generate a new random key. It creates a file that contains a key record for each key, and selfsigns the key set with each zone key. Cryptographic algorithm used to generate the zones keys. The files with the extension key and private contain the public and the private key as generated by dnsseckeygen the file with the extension attr contains attribute information needed to operated the key store, while the file with extension adm contains some administration and audit information. Additional options for dnsseckeygen may be specified using this. As a solution to the lack of entropy on a machine, i frequently use a small program called haveged, and this also works very nicely on virtual environments. Hi is it normal that dnsseckeygen be this much slow. But taking a guess, youre using r devrandom for your entropy, which blocks when. There is no easy formula to calculate the number of name servers needed, as it depends on.
There was a bug in the old openssl builds that made openssl to ignore the rng engine modification. Ive only seen this happen when a nondefault dnssec key type is selected, or if the system doesnt have enough entropy to generate a random key. On some systems especially virtual machines with insufficient entropy, it may take much longer than one cares to. The center for internet security dns bind benchmark. The dnssecmakekeyset command generates a key set from one or more keys that are created by the dnsseckeygen command. If you run dnsseckeygen and it appears to hang particularly when on a virtual machine, the program is actually waiting for entropy i. What to do if dnsseckeygen hangs forever domainhelp. Consult dnsseckeygens manual page to determine legal values.
687 571 461 1519 1224 446 814 623 43 1495 117 657 116 1139 1362 1425 669 600 1307 140 263 144 743 1321 550 258 606 1332 568 709 1347 804 160