[Swan-dev] /dev/random slows testing a lot

Andrew Cagney andrew.cagney at gmail.com
Fri Jul 13 22:16:04 UTC 2018

On Thu, 12 Jul 2018 at 22:44, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> My run of the test suite is making glacial progress.
> It has been stuck for seven hours in dnssec-keygen on the host
> computer:
> \_ make kvm-check
>     \_ /bin/sh ./testing/baseconfigs/all/etc/bind/generate-dnssec.sh
>         \_ dnssec-keygen -K keys -b 2048 -f KSK -a RSASHA256 -n ZONE 2.1.192.in-addr.arpa

I think this should run on the test domains.  Again get us away from a
host dependency.

> When I apply gdb to dnssec-keygen, it is sitting there waiting for entropy.
> The dnssec-keygen manual says that it uses /dev/random by default.
> gdb shows this to be the case.
> I thought: no problem, I've got a 4th gen Intel processor and "rdrand"
> shows up in /proc/cpuinfo.  But I see hints that the kernel XORs this
> source with the random number pool and thus does not actually increase
> the amount of entropy estimated to be available.  Whatever the
> explanation, there is a severe entropy shortage on my host.
> random(4) says, more or less, that /dev/random should not be used and
> /dev/urandom should be used in its place.  There are certain cases
> where getrandom(2) is more suitable.
> So: at least for testing, I think that we should change
>         testing/baseconfigs/all/etc/bind/generate-dnssec.sh
> to invoke dnssec-keygen with -r /dev/urandom
> This occurs twice.
> The same applies to the dnssec-signzone, which appears once, in the
> same file.
> I'm testing this now.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list