[Opendnssec-user] entropy source for SoftHSM

Rick van Rein rick at openfortress.nl
Tue May 13 14:21:04 UTC 2014


Hi Alex,

> Is it possible and reasonable to use opendnssec + SoftHSM + TRNG

I wonder why you want this?

You don’t need a lot of random material, unless you would need to create large numbers of keys instantaneously.  This would only be the case when setting up large numbers of zones at once, and requiring instant responsiveness (in which case I’d also ask questions about backups).

In normal operation, key rollovers require random material, but these can be scheduled at a slow pace, and OpenDNSSEC will adapt to whatever that means.

Signatures are more time constrained, but are usually an entirely deterministic process.  The one exception would be DSA, for which good random material is required for every secret (or else two signatures would reduce to a set of two equations with two unknowns, one of which is your private key) but DSA is advised against on account of the signature validation load it incurs on resolvers.

Or is it the quality of the kernel random source that you are doubting?  Anything concrete sounds prone to attack, IMHO… if I were you I’d be more concerned about user-space storage of your private keys than the in-kernel random number derivation ;-)

Cheers,
 -Rick


More information about the Opendnssec-user mailing list