ISPConfig3 – DNSSEC ERROR: We are low on entropy.

This article was posted more than 1 year ago. Please keep in mind that the information on this page may be outdated, insecure, or just plain wrong today.

It seems that ISPConfig3 checks for entropy availability to be below 200 and also 400 per the following file, /usr/local/ispconfig/server/bind_plugin.inc.php.

Line 93 and line 210 check for entropy availability.

Line 93, inside function soa_dnssec_create():

if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) {
	$app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$domain.'. Please consider installing package haveged.', LOGLEVEL_WARN);
	echo "DNSSEC ERROR: We are low on entropy. Not generating new Keys for $domain. Please consider installing package haveged.\n";
	return false;
}

Line 210, inside function soa_dnssec_update():

                if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) {
                        $app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERROR);
                        echo "DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.\n";
                        return false;
                }

My problem seems to be entropy_avail is 256.

Researching this, I found this Unix StackExchange article, kernel 5.10.119 caused the values of /proc/sys/kernel/random/entropy_avail and poolsize to be 256 – Unix & Linux Stack Exchange, that describes a recent change in the Linux Kernel 5.10.119.

I am currently on Linux kernel 5.10.127-1 (2022-06-30).

To work-around this, I adjusted the checks to both be 200, instead of one being 200 and the other 400 (on creation of DNSSEC records).

I was able to successfully generate the DNSSEC for my zone and issue /usr/local/ispconfig/server/server.sh without additional error.

This is probably NOT the best way to handle this… but I’m not sure what else to do at this point.

#ispconfig