Don't run un-necessary find command if using /dev/urandom, and make use of urandom optional https://sourceforge.net/tracker/?func=detail&atid=117457&aid=3599214&group_id=17457

bind8/bind8-lib.pl

@@ -44,7 +44,8 @@ $dnssec_cron_cmd = "$module_config_directory/resign.pl";
 $dnssec_dlv_zone = "dlv.isc.org.";
 @dnssec_dlv_key = ( 257, 3, 5, '"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh"' );
 
-if ($gconfig{'os_type'} =~ /-linux$/ && -r "/dev/urandom") {
+if ($gconfig{'os_type'} =~ /-linux$/ && -r "/dev/urandom" &&
+    !$config{'force_random'}) {
 	$rand_flag = "-r /dev/urandom";
 	}
 
@@ -3034,10 +3035,13 @@ foreach my $f (readdir(ZONEDIR)) {
 closedir(ZONEDIR);
 
 # Fork a background job to do lots of IO, to generate entropy
-local $pid = fork();
-if (!$pid) {
-	exec("find / -type f >/dev/null 2>&1");
-	exit(1);
+local $pid;
+if (!$rand_flag) {
+	$pid = fork();
+	if (!$pid) {
+		exec("find / -type f >/dev/null 2>&1");
+		exit(1);
+		}
 	}
 
 # Work out zone key size
@@ -3056,7 +3060,7 @@ local $out = &backquote_logged(
 	"$config{'keygen'} -a ".quotemeta($alg)." -b ".quotemeta($zonesize).
 	" -n ZONE $rand_flag $dom 2>&1");
 if ($?) {
-	kill('KILL', $pid);
+	kill('KILL', $pid) if ($pid);
 	return $out;
 	}
 
@@ -3066,13 +3070,13 @@ if (!$single) {
 		"cd ".quotemeta($fn)." && ".
 		"$config{'keygen'} -a ".quotemeta($alg)." -b ".quotemeta($size).
 		" -n ZONE -f KSK $rand_flag $dom 2>&1");
-	kill('KILL', $pid);
+	kill('KILL', $pid) if ($pid);
 	if ($?) {
 		return $out;
 		}
 	}
 else {
-	kill('KILL', $pid);
+	kill('KILL', $pid) if ($pid);
 	}
 
 # Get the new keys
@@ -3130,10 +3134,13 @@ local ($zonekey) = grep { !$_->{'ksk'} } @keys;
 $zonekey || return "Could not find DNSSEC zone key";
 
 # Fork a background job to do lots of IO, to generate entropy
-local $pid = fork();
-if (!$pid) {
-	exec("find / -type f >/dev/null 2>&1");
-	exit(1);
+local $pid;
+if (!$rand_flag) {
+	$pid = fork();
+	if (!$pid) {
+		exec("find / -type f >/dev/null 2>&1");
+		exit(1);
+		}
 	}
 
 # Work out zone key size
@@ -3146,7 +3153,7 @@ local $out = &backquote_logged(
 	"cd ".quotemeta($dir)." && ".
 	"$config{'keygen'} -a ".quotemeta($alg)." -b ".quotemeta($zonesize).
 	" -n ZONE $rand_flag $dom 2>&1");
-kill('KILL', $pid);
+kill('KILL', $pid) if ($pid);
 if ($?) {
 	return "Failed to generate new zone key : $out";
 	}

bind8/config-CentOS-Linux-6.0-*

@@ -51,3 +51,4 @@ dnssectools_conf=/etc/dnssec-tools/dnssec-tools.conf
 dnssectools_rollrec=/var/named/system.rollrec
 dnssectools_keydir=/var/named/dtkeys
 dnssectools_rollmgr_pidfile=/var/run/rollmgr.pid
+force_random=0

bind8/config-Redhat-Enterprise-Linux-6.0-*

@@ -44,3 +44,4 @@ signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
 restart_cmd=restart
+force_random=0

bind8/config-Scientific-Linux-6.0-*

@@ -44,3 +44,4 @@ signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
 restart_cmd=restart
+force_random=0

bind8/config-aix

@@ -35,3 +35,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-cobalt-linux

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-coherent-linux

@@ -41,3 +41,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-corel-linux

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-debian-linux

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-debian-linux-2.2

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-debian-linux-3.0

@@ -40,3 +40,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-debian-linux-3.1-*

@@ -41,3 +41,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-freebsd-2.1-2.2

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-freebsd-3.0

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-freebsd-3.1-3.5

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-freebsd-4.0-*

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-generic-linux

@@ -38,3 +38,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-gentoo-linux

@@ -40,3 +40,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-hpux

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-irix

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-macos

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-macos-1.3-*

@@ -38,3 +38,4 @@ signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
 pid_file=/var/run/named/named.pid /private/var/run/named/named.pid
+force_random=0

bind8/config-mandrake-linux

@@ -40,3 +40,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-mandrake-linux-10.2-*

@@ -40,3 +40,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-msc-linux

@@ -39,3 +39,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-netbsd

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-open-linux

@@ -39,3 +39,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-openbsd-2.5-3.1

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-openbsd-3.2-*

@@ -38,3 +38,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-openmamba-linux

@@ -39,3 +39,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-openserver

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-osf1

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-pardus-linux

@@ -42,3 +42,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-redhat-linux

@@ -39,3 +39,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-redhat-linux-10.0

@@ -44,3 +44,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-redhat-linux-11.0-23.0

@@ -44,3 +44,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-redhat-linux-24.0-*

@@ -44,3 +44,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-redhat-linux-7.1-9.0

@@ -40,3 +40,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-slackware-linux

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-slackware-linux-8.0-*

@@ -38,3 +38,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-sol-linux

@@ -40,3 +40,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-solaris

@@ -38,3 +38,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-solaris-10-*

@@ -38,3 +38,4 @@ keygen=/usr/bin/dnssec-keygen
 signzone=/usr/bin/dnssec-signzone
 checkconf=/usr/bin/named-checkconf
 other_slaves=1
+force_random=0

bind8/config-solaris-7-9

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-suse-linux

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-suse-linux-8.2

@@ -42,3 +42,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-suse-linux-9.0-9.2

@@ -43,3 +43,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-suse-linux-9.3-*

@@ -45,3 +45,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-trustix-linux

@@ -44,3 +44,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-trustix-linux-2.1

@@ -44,3 +44,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-trustix-linux-2.2-*

@@ -44,3 +44,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-turbo-linux

@@ -37,3 +37,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-united-linux

@@ -40,3 +40,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-unixware

@@ -38,3 +38,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config-windows

@@ -55,3 +55,4 @@ keygen=dnssec-keygen
 signzone=dnssec-signzone
 checkconf=named-checkconf
 other_slaves=1
+force_random=0

bind8/config.info

@@ -42,6 +42,7 @@ ipv6_mode=Domain for reverse IPv6 addresses,1,1-ip6.arpa,0-ip6.int
 confirm_zone=Confirm before deleting zones?,1,1-Yes,0-No
 confirm_rec=Confirm before deleting records?,1,1-Yes,0-No
 free_nets=IP networks for free addresses,3,Automatic
+force_random=Entropy source for DNSSEC keys,1,1-/dev/random (Secure but slow),0-/dev/urandom (Possibly insecure but fast)
 
 line2.5=Cluster slave servers,11
 this_ip=Default master server IP for remote slave zones,3,IP address of hostname