[Opendnssec-user] ods-signerd calling vmstat?!?
Carsten Strotmann (Men & Mice)
carsten at menandmice.com
Mon Sep 2 09:01:34 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Jakob,
Hi Paul,
(disclaimer: this is not critique at the OpenDNSSEC team, just my
thought and observations)
Jakob Schlyter wrote:
> On 30 aug 2013, at 17:44, Paul Wouters <paul at nohats.ca> wrote:
>
>> Wow, that is pretty epic - in a bad way...... Am I really trusting
>> opendnssec to generate RSA keys with the below code for entropy?
>> filenames in /tmp?
>
> Although I agree this is bad - have you checked if these are the ONLY
> entropy sources used by Botan?
my understanding is that Botan has various options to get randomness
from a system, where one is the use of files in /tmp and vmstat output.
What worries me is, as a user of OpenDNSSEC, is that it is not
transparent which entropy source is used. There might be an compile-time
or run-time option to Botan to influence or force the selection, but I'm
not an expert in Botan.
Maybe it is expected that a user/admin of OpenDNSSEC also gets familiar
with all the options and configuration parameters of the dependencies
(like Botan), but in my experience that is unrealistic (dependencies are
installed from the packaging system).
There should be a way of configure or compile Botan in a way so that it
will either use a good source of entropy, or fail (stop).
This mode should be detected (and enforced) by OpenDNSSEC, and in case
Botan is (configured|compiled) in an insecure way (using insecure
entropy), OpenDNSSEC should issue an error (or warning) and/or should fail.
There might be situations where weak randomness is "good enough" (like
in a pure non-production test/training environment), so it is desirable
that Botan can also work with the (less secure) fallback source of
randomness. This mode of operation should not be the default.
But in an production environment, all insecure sources of randomness
should never be used. The Admin must be aware, and the default must be
in a way that insecure randomness in not used "by accident".
Most of these requests/issues must be addressed to the Botan team
upstream, but I would like to have a broader opinion from this list first.
best regards
Carsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlIkU+4ACgkQElgUYvSqn/S3SwCeLx16ZmLjeYGWCxWXce/7W1tA
ZjsAn2S+e2asvxUp4RXLJvySkeKjkI+f
=cWx4
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list