DNSSEC tools effectively ignore the "-r" command line switch when linked with specific OpenSSL versions
In order for the
-r switch to actually cause entropy to be gathered from the path supplied to it, the dst library must register itself in OpenSSL as the default source of entropy. However, this will not happen in certain circumstances:
- for BIND 9.11, it will not happen if OpenSSL already has a default source of entropy set,
- for BIND 9.12, it will not happen if BIND is compiled with
--enable-crypto-randor if OpenSSL already has a default source of entropy set.
Note that OpenSSL versions between 1.0.1 and 1.0.1e (inclusive) use the "Intel RDRAND engine" as the default source of entropy. One prominent user of OpenSSL 1.0.1e is RHEL/CentOS 6.
master is unaffected since the
-r switch was dropped in it altogether.
While I agree that the dst library should prefer OpenSSL's default source of entropy over libisc-provided entropy, IMHO the
-r switch is an explicit request to override that preference.