CentOS - Dec 2015 - Centos7 poblems with dnssec-keygen

On 12/24/2015 03:50 PM, Alice Wonder wrote:
>
>
> On 12/24/2015 12:40 PM, Robert Moskowitz wrote:
>> I am reading:
>>
>>
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html
>>
>>
>> I have bind installed and default config running.  I have not applied
my
>> customizations yet.  The first step I am taking is getting rndc.key
>> created.  So reading the guide I am trying to run (while logged in as
>> root, and in /etc):
>>
>> dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key
>>
>> The system is just sitting there and doing nothing.  I have sshed as
>> another session and do not see any processing being done by 
>> dnssec-keygen.
>>
>> Has anyone else done this?  Am I doing things in the right order? If it
>> works for others, then there is something wrong with my setup...
>
> It's working fine for me.
>
> I'm using the command ldns-keygen to generate keys though - e.g.
>
> ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}`
>
> and
>
> KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}`
>
> ldns-keygen is from the ldns package.
>
> Mine is currently all scripted and automated, has been for months - I 
> started with an Ubuntu tutorial though, not CentOS documentation, and 
> adapted it.
>
> I'll have to look at the scripts I wrote more carefully when I get 
> home (wonder if I should be using different than SHA1 now too? I'll 
> have to research that)
Right now all I want working is rndc.  dnssec will be worked on come spring.

With all I do in security, it bothers me that the Centos documentation 
specifies MD5.  Should be at least SHA1, if not SHA256.

On 12/24/2015 12:54 PM, Robert Moskowitz wrote:
>
> Right now all I want working is rndc.  dnssec will be worked on come
> spring.
>
> With all I do in security, it bothers me that the Centos documentation
> specifies MD5.  Should be at least SHA1, if not SHA256.
>
>
Oh okay I apoligize, I mis-read your post as asking about generating 
DNSSEC keys, due to the command name you were using.

I have no clue about bind / rndc, I use NSD for authoritative.

Sorry about the noise.

On 12/24/2015 04:30 PM, Alice Wonder wrote:
>
>
> On 12/24/2015 12:54 PM, Robert Moskowitz wrote:
>
>>
>> Right now all I want working is rndc.  dnssec will be worked on come
>> spring.
>>
>> With all I do in security, it bothers me that the Centos documentation
>> specifies MD5.  Should be at least SHA1, if not SHA256.
>>
>>
>
> Oh okay I apoligize, I mis-read your post as asking about generating 
> DNSSEC keys, due to the command name you were using.
>
> I have no clue about bind / rndc, I use NSD for authoritative.
>
> Sorry about the noise.
Not a problem.

Turns out, this is on an armv7 with the new C7-arm port and there are 
no  (or too few) processes running for there to be anything in 
/dev/random.  I was told to open up an ssh session and run

dd if=/dev/mmcblk0p3 of=/dev/null

Once that finished, the keygen finished in my console session.