[Opendnssec-user] ods-signerd calling vmstat?!?

Havard Eidnes he at uninett.no
Wed Sep 4 14:37:30 UTC 2013


Hi,

following up your quote from Jack Lloyd:

> The problem of gathering large amounts of entropy on a system without a
> kernel provided/protected PRNG and a local attacker is not a satisfactorily
> solved one to my knowledge.

I'll note that the system I'm seeing these messages from has both
/dev/urandom and /dev/random, and I'm monitoring the estimated
entropy in the /dev/random pool, and it sits comfortably at 4096
bits most of the time, ref. the attached graph.

> Also, if earlier polls (eg /dev/random or EGD) succeed, then we
> will never query these sources at all, as spawning off all
> these processes is quite slow, so we avoid it except in cases
> where it is necessary due to lack of other options.

Ref. above, I'm still seeing these messages, indicating that
either the Botan library didn't get the required bits from
/dev/random or /dev/urandom (which should in itself be an
inexhaustible source of pseudo-random bits), or this statement
isn't quite correct for the version I'm using.

My botan package is version 1.8.14 (which could possibly stand an
update to at least something 1.10ish).

Regards,

- Håvard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: entropy-day.png
Type: image/png
Size: 17592 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130904/8d13b4c8/attachment.png>


More information about the Opendnssec-user mailing list