Commit 16d148a8 authored by Joshua Tauberer's avatar Joshua Tauberer

use /dev/urandom for DNSSEC key generation, fixes #596, partially reverts #115...

use /dev/urandom for DNSSEC key generation, fixes #596, partially reverts #115 (69f0e1d0)
parent e8264e9b
...@@ -78,7 +78,7 @@ FIRST=1 #NODOC ...@@ -78,7 +78,7 @@ FIRST=1 #NODOC
for algo in RSASHA1-NSEC3-SHA1 RSASHA256; do for algo in RSASHA1-NSEC3-SHA1 RSASHA256; do
if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then
if [ $FIRST == 1 ]; then if [ $FIRST == 1 ]; then
echo "Generating DNSSEC signing keys. This may take a few minutes..." echo "Generating DNSSEC signing keys..."
FIRST=0 #NODOC FIRST=0 #NODOC
fi fi
...@@ -89,16 +89,16 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then ...@@ -89,16 +89,16 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then
# `ldns-keygen` outputs the new key's filename to stdout, which # `ldns-keygen` outputs the new key's filename to stdout, which
# we're capturing into the `KSK` variable. # we're capturing into the `KSK` variable.
# #
# ldns-keygen uses /dev/random for generating random numbers. See the # ldns-keygen uses /dev/random for generating random numbers by default.
# notes in ssl.sh about how /dev/urandom is seeded, which probably also # This is slow and unecessary if we ensure /dev/urandom is seeded properly,
# applies here, but also /dev/random is seeded by the haveged daemon. # so we use /dev/urandom. See system.sh for an explanation. See #596, #115.
KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a $algo -b 2048 -k _domain_); KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -r /dev/urandom -a $algo -b 2048 -k _domain_);
# Now create a Zone-Signing Key (ZSK) which is expected to be # Now create a Zone-Signing Key (ZSK) which is expected to be
# rotated more often than a KSK, although we have no plans to # rotated more often than a KSK, although we have no plans to
# rotate it (and doing so would be difficult to do without # rotate it (and doing so would be difficult to do without
# disturbing DNS availability.) Omit `-k` and use a shorter key length. # disturbing DNS availability.) Omit `-k` and use a shorter key length.
ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a $algo -b 1024 _domain_); ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -r /dev/urandom -a $algo -b 1024 _domain_);
# These generate two sets of files like: # These generate two sets of files like:
# #
......
...@@ -63,6 +63,7 @@ apt_install python3 python3-dev python3-pip \ ...@@ -63,6 +63,7 @@ apt_install python3 python3-dev python3-pip \
# encryption keys and passwords: # encryption keys and passwords:
# #
# * TLS private key (see `ssl.sh`, which calls `openssl genrsa`) # * TLS private key (see `ssl.sh`, which calls `openssl genrsa`)
# * DNSSEC signing keys (see `dns.sh`)
# * our management server's API key (via Python's os.urandom method) # * our management server's API key (via Python's os.urandom method)
# #
# Why /dev/urandom? It's the same as /dev/random, except that it doesn't wait # Why /dev/urandom? It's the same as /dev/random, except that it doesn't wait
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment