[Opendnssec-user] ods-signerd calling vmstat?!?

Sebastian Castro sebastian at nzrs.net.nz
Mon Sep 2 23:24:47 UTC 2013


On 03/09/13 10:26, Rick van Rein (OpenFortress) wrote:
> Hello,
> 
>>> I think anybody using softhsm in production should perhaps be
>>> introduced to <http://www.entropykey.co.uk/>.
> 
>> We got a bunch of those entropy keys for servers doing SSL and we
>> really like them... it's a very good product.
> 
> Can you please explain what makes you say that? Which of the tests
> did you subject the random material to, and what were the outcomes?

Well, I was not expecting to produce a report after throwing that
comment, but given it's my fault ;)

> 
> It's lovely to have a +1 vote, but much more useful to have an
> evaluation report so we can compare your experience with our own
> requirements in our own settings.

We have a bunch of production servers that do a lot of SSL work, mostly
handling HTTPS connections. When we started having troubles with slow
establishing connections, we looked into the entropy level available in
the servers, and in many occassions entropy was depleted. We bought two
keys for testing, deploy them, and the entropy was there up to 4Kb most
of the time. We never saw the slowdowns again. Before deployment, we did
some testing and although there was no conclusive results in terms of
speed, there was some benefit on the number of HTTPS sessions the server
was able to handle.


I hope it helps!

PS: We don't use the Entropy Keys in our DNSSEC deployment, keys are
created within the HSM, which provides high-quality RNG

> 
> -Rick
> 


-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535



More information about the Opendnssec-user mailing list