[Swan-dev] /dev/random slows testing a lot
Paul Wouters
paul at nohats.ca
Fri Jul 13 03:26:38 UTC 2018
Please do make the script use urandom. I’d do it but I’m traveling with a deadish laptop
Sent from my phone
> On Jul 12, 2018, at 22:44, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
>
> My run of the test suite is making glacial progress.
>
> It has been stuck for seven hours in dnssec-keygen on the host
> computer:
>
> \_ make kvm-check
> \_ /bin/sh ./testing/baseconfigs/all/etc/bind/generate-dnssec.sh
> \_ dnssec-keygen -K keys -b 2048 -f KSK -a RSASHA256 -n ZONE 2.1.192.in-addr.arpa
>
> When I apply gdb to dnssec-keygen, it is sitting there waiting for entropy.
>
> The dnssec-keygen manual says that it uses /dev/random by default.
> gdb shows this to be the case.
>
> I thought: no problem, I've got a 4th gen Intel processor and "rdrand"
> shows up in /proc/cpuinfo. But I see hints that the kernel XORs this
> source with the random number pool and thus does not actually increase
> the amount of entropy estimated to be available. Whatever the
> explanation, there is a severe entropy shortage on my host.
>
> random(4) says, more or less, that /dev/random should not be used and
> /dev/urandom should be used in its place. There are certain cases
> where getrandom(2) is more suitable.
>
> So: at least for testing, I think that we should change
> testing/baseconfigs/all/etc/bind/generate-dnssec.sh
> to invoke dnssec-keygen with -r /dev/urandom
> This occurs twice.
>
> The same applies to the dnssec-signzone, which appears once, in the
> same file.
>
> I'm testing this now.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list