6
 $ dnssec-keygen -a HMAC-MD5 -b 512 -n HOST  {host}

above results in blank line and endless waiting 

 $ dnssec-keygen -T DNSKEY -a HMAC-MD5 -b 512 -n HOST  {host}

the same

entropy: 

$ cat /proc/sys/kernel/random/entropy_avail 
890

ps. I was trying to make some noise by find / but that brought no result

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
ceph3us
  • 557
  • 2
  • 8
  • 22
  • @RuiFRibeiro - have occasion to ask what key do you propose to use to change dns entry - as i want to make an dynamic changes from my client (host) as i got dynamic ip on home and vps wih dns ( and i want to be sure that this is secure enought - is there a way for me to use my key on pkcs11 device ? ) – ceph3us Jun 16 '16 at 20:47
  • @RuiFRibeiro mean that on PKCS11 ii have ECC private/public keys and certificates - i like to reuse them as i do on http server or java apps – ceph3us Jun 16 '16 at 22:37
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/41284/discussion-between-ceph3us-and-rui-f-ribeiro). – ceph3us Jun 16 '16 at 22:53

1 Answers1

7

By default, dnsec-keygen uses /dev/random - the generation is slow, so much more in less busy systems.

One of the alternatives is trying to make the system more busy running more processes in the background. It will be still a bit slow, but less slow. Virtual machines are usually less impacted in entropy when using more I/O.

Other alternative is using /dev/urandom. /dev/urandom is a pseudo-random generator, but unless you are booting the system, should be random enough for your needs.

I advise then to use instead /dev/urandom as source, adding to your command -r /dev/urandom as in:

dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST {host}

For more, please read:

Bug 1025554 - generating keys using dnssec-keygen is very slow

As ran by @ceph3us after using the -r /dev/urandom parameter,

$ dnssec-keygen  -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST  {host}

keys generation time:

real 0m0.033s 
user 0m0.028s 
sys 0m0.004s
Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
  • 1
    The `-r /dev/urandom` needs to go at the front of the parameters. I tried the first example and it failed on my install. – xer0x Oct 02 '17 at 17:45
  • 2
    **UPDATE**: Executing `dnssec-keygen` (Version: 9.14.2) with `-r` option will produce the following error: `dnssec-keygen: fatal: The -r option has been deprecated. System random data is always used.` – KaiserKatze Jun 07 '19 at 09:24
  • @KaiserKatze Good to know that after 3 years they have fixed it on the code. Interesting, thanks for the heads up. – Rui F Ribeiro Jun 07 '19 at 10:23
  • @RuiFRibeiro you're welcome, sir. btw HMAC algorithm is removed from `dnssec-keygen`, come and take a look at my post [here](https://unix.stackexchange.com/questions/523565/how-to-generate-tsig-key-for-certbot-plugin-certbot-dns-rfc2136) – KaiserKatze Jun 07 '19 at 15:08