Is using /dev/urandom for DNSSEC key generation safe?

DNSSEC key generation during install now uses /dev/urandom (instead of /dev/random), which is faster.

I know /dev/urandom as a non-blocking potentially lower-entropy source for randomness. You usually seem to know what you’re doing, but “faster” isn’t helping me believe this is the case, so I’d like to hear more. Reading on GitHub, /dev/random has previously been the choice for everything.

OSes implement these devices differently, and I’m worried about the ones where /dev/urandom provides worse entropy.



1 Like