[Swan-dev] /dev/random slows testing a lot

D. Hugh Redelmeier hugh at mimosa.com
Fri Jul 13 02:44:13 UTC 2018

My run of the test suite is making glacial progress.

It has been stuck for seven hours in dnssec-keygen on the host

\_ make kvm-check
    \_ /bin/sh ./testing/baseconfigs/all/etc/bind/generate-dnssec.sh
        \_ dnssec-keygen -K keys -b 2048 -f KSK -a RSASHA256 -n ZONE 2.1.192.in-addr.arpa

When I apply gdb to dnssec-keygen, it is sitting there waiting for entropy.

The dnssec-keygen manual says that it uses /dev/random by default.
gdb shows this to be the case.

I thought: no problem, I've got a 4th gen Intel processor and "rdrand"
shows up in /proc/cpuinfo.  But I see hints that the kernel XORs this
source with the random number pool and thus does not actually increase
the amount of entropy estimated to be available.  Whatever the
explanation, there is a severe entropy shortage on my host.

random(4) says, more or less, that /dev/random should not be used and
/dev/urandom should be used in its place.  There are certain cases
where getrandom(2) is more suitable.

So: at least for testing, I think that we should change
to invoke dnssec-keygen with -r /dev/urandom
This occurs twice.

The same applies to the dnssec-signzone, which appears once, in the
same file.

I'm testing this now.

More information about the Swan-dev mailing list