Package: bind9utils Version: 1:9.9.5.dfsg-8 Severity: important Justification: Almost unusable for most users
Hello Running $ dnssec-keygen -a RSASHA256 -b 4096 -f KSK example.net take ages, like 12 hours, sometimes more than a day. A dot is printed every 30 minutes or so, but people will usually abort it thinking it's dead. An strace shows that this commands requires about 400,000 bits of entropy from /dev/random. Is keygen doing something special to need that much? Generating a 4k RSA key with other programs such as gnupg usually take a minute or so. I expected dnssec-keygen to have about the same requirements. If bind cannot generate keys correctly, maybe it could provide a tool to convert a key pair generated by an external tool such as openssl to the required format. Thank you for taking care of bind. -- $ strace /usr/sbin/dnssec-keygen -v 9 -a RSASHA256 -b 4096 -f KSK -r /dev/urandom example.net >/dev/null 2> log $ total=0; grep "read(3" log | sed -re 's/^.*= ([0-9]+)$/\1/g' | while read i; do total=$(( total + i )); echo "$total"; done | tail -1 => 362378 bytes (about 3M bits!) -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages bind9utils depends on: ii libbind9-90 1:9.9.5.dfsg-8 ii libc6 2.19-13 ii libcap2 1:2.24-6 ii libcomerr2 1.42.12-1 ii libdns100 1:9.9.5.dfsg-8 ii libgssapi-krb5-2 1.12.1+dfsg-16 ii libisc95 1:9.9.5.dfsg-8 ii libisccc90 1:9.9.5.dfsg-8 ii libisccfg90 1:9.9.5.dfsg-8 ii libk5crypto3 1.12.1+dfsg-16 ii libkrb5-3 1.12.1+dfsg-16 ii libpython2.7-stdlib [python-argparse] 2.7.8-11 ii libssl1.0.0 1.0.1j-1 ii libxml2 2.9.1+dfsg1-4 ii python 2.7.8-2 bind9utils recommends no packages. bind9utils suggests no packages. -- no debconf information
signature.asc
Description: OpenPGP digital signature
