[Opendnssec-user] ods-signerd calling vmstat?!?

Rick van Rein (OpenFortress) rick at openfortress.nl
Mon Sep 2 12:25:26 UTC 2013


Hello,

I found confirmation on the Botan site that they didn't do what would have been logical, namely to incorporate /dev/random when possible:

> To ensure good quality output, a PRNG needs to be seeded with truly random data. Normally this is done for you. However it may happen that your application has access to data that is potentially unpredictable to an attacker. If so, use
> 
> void RandomNumberGenerator::add_entropy(const byte* data, size_t length)
> 

> See: http://botan.randombit.net/rng.html


I didn't find build instructions to say "use local entropy devices/daemons whenever available" let alone "require their service at startup".  What a pitty -- it sounds like they leave it to SoftHSM to do this work, even if the OS has proper sources of entropy.

When the OS has no such source, I can relate to what they are doing with status information from the running OS.  There is no way to satisfy paranoia anymore then -- software can't create entropy that doesn't exist in hardware and will ultimately trigger someone's paranoia.

-Rick


More information about the Opendnssec-user mailing list