ISPConfig3 – DNSSEC ERROR: We are low on entropy.

It seems that ISPConfig3 checks for entropy availability to be below 200 and also 400 per the following file, /usr/local/ispconfig/server/bind_plugin.inc.php.

Line 93 and line 210 check for entropy availability.

Line 93, inside function soa_dnssec_create():

if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) {
	$app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$domain.'. Please consider installing package haveged.', LOGLEVEL_WARN);
	echo "DNSSEC ERROR: We are low on entropy. Not generating new Keys for $domain. Please consider installing package haveged.\n";
	return false;
}

Line 210, inside function soa_dnssec_update():

                if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) {
                        $app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERROR);
                        echo "DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.\n";
                        return false;
                }

My problem seems to be entropy_avail is 256.

Researching this, I found this Unix StackExchange article, kernel 5.10.119 caused the values of /proc/sys/kernel/random/entropy_avail and poolsize to be 256 – Unix & Linux Stack Exchange, that describes a recent change in the Linux Kernel 5.10.119.

I am currently on Linux kernel 5.10.127-1 (2022-06-30).

To work-around this, I adjusted the checks to both be 200, instead of one being 200 and the other 400 (on creation of DNSSEC records).

I was able to successfully generate the DNSSEC for my zone and issue /usr/local/ispconfig/server/server.sh without additional error.

This is probably NOT the best way to handle this… but I’m not sure what else to do at this point.

Leave a Reply

Your email address will not be published. Required fields are marked *