Programs that rely on good random data (cryptographic functions) can be very slow when running inside a virtual machine (VMWare, Virtual Box, KVM ...). On Linux, the /dev/random device blocks if there is not enough randomness in the system. DNSSEC enabled DNS Server and their tools use /dev/random as a source of randomness for cryptographic operations.
The device /dev/urandom does not block, but the randomness delivered is not guaranteed to be good and it should not be used to generate key material with a long lifespan (such as key signing keys, KSKs).
This effects DNSSEC tools like dnssec-keygen and dnssec-signzone, but it can also have a performance impact on a DNSSEC enabled DNS Server that is re-signing a dynamic zone or a DNS resolver validating DNSSEC data for a client.
The speed and randomness of the operating systems random number generator can be tested with the 'rngtest' tool which is part of the 'rng-tools' package in Debian and Ubuntu Linux (source: http://sourceforge.net/projects/gkernel/files/rng-tools/).
cat /dev/random | rngtest -c 100
Problem:Randomness in operating systems is generated from non-predictable sources like user input and hardware interrupts. Virtual machines have usually the issue with creating good randomness (almost everything is virtualized and predictable).
- See When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography
- Wikipedia on /dev/random: http://en.wikipedia.org/wiki//dev/random
- "Analysis of the Linux Random Number Generator": http://www.pinkas.net/PAPERS/gpr06.pdf
SolutionToday, some CPUs and motherboards (VIA, Intel, AMD) have build in random number generators. These can be used to fill the pool of random bits. In addition, additional hardware can be added to a server to supply random bits. This hardware must then be linked into the virtual machine. (Hardware Random Number Generator / Comparison of hardware random number generators)
Other solutions are software based and try to find entropy in different aspects of an virtual machine:
- "haveged - A simple entropy daemon" is a clever solution for Linux-VMs: http://www.issihosts.com/haveged/
- KVM tweaks: http://www.roessner-network-solutions.com/?p=586
- EGD: The Entropy Gathering Daemon: http://egd.sourceforge.net/
- PRNGD - Pseudo Random Number Generator Daemon: http://prngd.sourceforge.net/