external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-25 02:47:04 +00:00
Code Issues Releases Wiki Activity

use /dev/urandom for DNSSEC key generation, fixes #596, partially reverts #115 (69f0e1d07a)

Browse Source
This commit is contained in:
Joshua Tauberer 2015-11-17 17:11:35 -05:00
parent e8264e9b6a
commit 16d148a8a9
2 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
setup/dns.sh
View File

@ -78,7 +78,7 @@ FIRST=1 #NODOC
for algo in RSASHA1-NSEC3-SHA1 RSASHA256; do for algo in RSASHA1-NSEC3-SHA1 RSASHA256; do
if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then
if [ $FIRST == 1 ]; then if [ $FIRST == 1 ]; then
echo "Generating DNSSEC signing keys. This may take a few minutes..." echo "Generating DNSSEC signing keys..."
FIRST=0 #NODOC FIRST=0 #NODOC
fi fi
@ -89,16 +89,16 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then
# `ldns-keygen` outputs the new key's filename to stdout, which # `ldns-keygen` outputs the new key's filename to stdout, which
# we're capturing into the `KSK` variable. # we're capturing into the `KSK` variable.
# #
# ldns-keygen uses /dev/random for generating random numbers. See the # ldns-keygen uses /dev/random for generating random numbers by default.
# notes in ssl.sh about how /dev/urandom is seeded, which probably also # This is slow and unecessary if we ensure /dev/urandom is seeded properly,
# applies here, but also /dev/random is seeded by the haveged daemon. # so we use /dev/urandom. See system.sh for an explanation. See #596, #115.
KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a $algo -b 2048 -k _domain_); KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -r /dev/urandom -a $algo -b 2048 -k _domain_);
# Now create a Zone-Signing Key (ZSK) which is expected to be # Now create a Zone-Signing Key (ZSK) which is expected to be
# rotated more often than a KSK, although we have no plans to # rotated more often than a KSK, although we have no plans to
# rotate it (and doing so would be difficult to do without # rotate it (and doing so would be difficult to do without
# disturbing DNS availability.) Omit `-k` and use a shorter key length. # disturbing DNS availability.) Omit `-k` and use a shorter key length.
ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a $algo -b 1024 _domain_); ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -r /dev/urandom -a $algo -b 1024 _domain_);
# These generate two sets of files like: # These generate two sets of files like:
# #

1
setup/system.sh
View File

@ -63,6 +63,7 @@ apt_install python3 python3-dev python3-pip \
# encryption keys and passwords: # encryption keys and passwords:
# #
# * TLS private key (see `ssl.sh`, which calls `openssl genrsa`) # * TLS private key (see `ssl.sh`, which calls `openssl genrsa`)
# * DNSSEC signing keys (see `dns.sh`)
# * our management server's API key (via Python's os.urandom method) # * our management server's API key (via Python's os.urandom method)
# #
# Why /dev/urandom? It's the same as /dev/random, except that it doesn't wait # Why /dev/urandom? It's the same as /dev/random, except that it doesn't wait