Is using /dev/urandom for DNSSEC key generation safe?

jooize · January 2, 2016, 7:11pm

DNSSEC key generation during install now uses /dev/urandom (instead of /dev/random), which is faster.

— mailinabox/CHANGELOG.md at v0.15 · mail-in-a-box/mailinabox · GitHub

I know /dev/urandom as a non-blocking potentially lower-entropy source for randomness. You usually seem to know what you’re doing, but “faster” isn’t helping me believe this is the case, so I’d like to hear more. Reading on GitHub, /dev/random has previously been the choice for everything.

OSes implement these devices differently, and I’m worried about the ones where /dev/urandom provides worse entropy.

JoshData · January 2, 2016, 7:31pm

See:

github.com

mail-in-a-box/mailinabox/blob/4305a71916c8c566234c575e1806b769a5960c2a/setup/system.sh#L90


else
	# This is a non-interactive setup so we can't ask the user.
	# If /etc/timezone is missing, set it to UTC.
	if [ ! -f /etc/timezone ]; then
		echo "Setting timezone to UTC."
		echo "Etc/UTC" > /etc/timezone
		restart_service rsyslog
	fi
fi

# ### Seed /dev/urandom
#
# /dev/urandom is used by various components for generating random bytes for
# encryption keys and passwords:
#
# * TLS private key (see `ssl.sh`, which calls `openssl genrsa`)
# * DNSSEC signing keys (see `dns.sh`)
# * our management server's API key (via Python's os.urandom method)
# * Roundcube's SECRET_KEY (`webmail.sh`)
# * ownCloud's administrator account password (`owncloud.sh`)
#

and