Posts tagged: dnssec

How to disable DNSSEC on a domain

By , April 3, 2018

There are plenty of tutorials around on how to enable DNSSEC on a domain name, every once in awhile you may find yourself in a situation where you want to turn it off.

When that happens it is often misunderstood, and people think that by simply removing the keys from their zone and reloading it as a clear, unsigned zone, they’ve disabled DNSSEC. Read more »

What to do if dnssec-keygen hangs forever

By , May 2, 2017

Problem:

On some systems when you are trying to generate dnssec keys using dnssec-keygen, it just hangs (seemingly) forever.

As per Alexander Gurvitz’s post in the Ubuntu forums:

It is NOT a bug.
In order to generate SECURE keys, dnssec-keygen reads /dev/random, which will block until there’s enough entropy available on your system. Some systems have very little entropy and thus dnssec-keygen may take forever.
Possible solutions:
1. apt-get install haveged
haveged daemon supplies lots of entropy to /dev/random.

2. dnssec-keygen -r /dev/urandom
Will use “non-blocking” pseudo-random device (lower security).

3. Move mouse and tap on keyboard – kernel uses this as entropy source.

4. Buy a hardware entropy device.

Easiest/best solution is #1, most expedient if you can’t even do that is #2.