add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596
2026-03-30 21:07:23 +02:00 · 2015-11-17 15:41:13 -05:00
parent 05e128cafb
commit 4f2b223070
2 changed files with 60 additions and 15 deletions
--- a/setup/dns.sh
+++ b/setup/dns.sh
@@ -88,6 +88,10 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then
 	#
 	# `ldns-keygen` outputs the new key's filename to stdout, which
 	# we're capturing into the `KSK` variable.
+	#
+	# ldns-keygen uses /dev/random for generating random numbers. See the
+	# notes in ssl.sh about how /dev/urandom is seeded, which probably also
+	# applies here, but also /dev/random is seeded by the haveged daemon.
 	KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a $algo -b 2048 -k _domain_);

 	# Now create a Zone-Signing Key (ZSK) which is expected to be