bad511
From a503519533eb375a5ce1f7566bfc153aac980d87 Mon Sep 17 00:00:00 2001
bad511
From: Petr Mensik <pemensik@redhat.com>
bad511
Date: Fri, 9 Jul 2021 20:52:21 +0200
bad511
Subject: [PATCH] Use proper entropy to initialize tsig keyname
bad511
bad511
Random names used on GSS backed nsupdate can conflict in specific
bad511
situations. That might include starting a lot of machines from
bad511
containers, where they took all similar time to start. PID and timestamp
bad511
would be similar and therefore randomness is quite low. Use entropy to
bad511
generate more random identifier and reduce chance of conflict.
bad511
---
bad511
 bin/nsupdate/nsupdate.c | 4 +++-
bad511
 1 file changed, 3 insertions(+), 1 deletion(-)
bad511
bad511
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
bad511
index 458aa76..d9e5a2b 100644
bad511
--- a/bin/nsupdate/nsupdate.c
bad511
+++ b/bin/nsupdate/nsupdate.c
bad511
@@ -2941,7 +2941,9 @@ start_gssrequest(dns_name_t *master) {
bad511
 
bad511
 	keyname = dns_fixedname_initname(&fkname);
bad511
 
bad511
-	isc_random_get(&val;;
bad511
+	result = isc_entropy_getdata(entropy, &val, sizeof(val), NULL, 0);
bad511
+	if (result != ISC_R_SUCCESS)
bad511
+		isc_random_get(&val;;
bad511
 	result = isc_string_printf(mykeystr, sizeof(mykeystr), "%u.sig-%s",
bad511
 				   val, namestr);
bad511
 	if (result != ISC_R_SUCCESS)
bad511
-- 
bad511
2.31.1
bad511