33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From a503519533eb375a5ce1f7566bfc153aac980d87 Mon Sep 17 00:00:00 2001
|
|
From: Petr Mensik <pemensik@redhat.com>
|
|
Date: Fri, 9 Jul 2021 20:52:21 +0200
|
|
Subject: [PATCH] Use proper entropy to initialize tsig keyname
|
|
|
|
Random names used on GSS backed nsupdate can conflict in specific
|
|
situations. That might include starting a lot of machines from
|
|
containers, where they took all similar time to start. PID and timestamp
|
|
would be similar and therefore randomness is quite low. Use entropy to
|
|
generate more random identifier and reduce chance of conflict.
|
|
---
|
|
bin/nsupdate/nsupdate.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
|
index 458aa76..d9e5a2b 100644
|
|
--- a/bin/nsupdate/nsupdate.c
|
|
+++ b/bin/nsupdate/nsupdate.c
|
|
@@ -2941,7 +2941,9 @@ start_gssrequest(dns_name_t *master) {
|
|
|
|
keyname = dns_fixedname_initname(&fkname);
|
|
|
|
- isc_random_get(&val);
|
|
+ result = isc_entropy_getdata(entropy, &val, sizeof(val), NULL, 0);
|
|
+ if (result != ISC_R_SUCCESS)
|
|
+ isc_random_get(&val);
|
|
result = isc_string_printf(mykeystr, sizeof(mykeystr), "%u.sig-%s",
|
|
val, namestr);
|
|
if (result != ISC_R_SUCCESS)
|
|
--
|
|
2.31.1
|
|
|