mariano.silva wrote:Sorry for the delay in getting back to you @starcms. I'm not using a DNSSEC resolver , and I'm not getting the entropy warnings. I've switched to 'd0wn-it-ns1' which supports DNSSEC now, and will leave it running for some time to see if I see the warning and report back to you.
If you are going to get the entropy warning, it will only occur on boot if you are using a DNSSEC resolver. Or at least that's what it seems to be from what others have commented combined with my own experience. So, if you are using a resolver that supports DNSSEC (d0wn-it-ns1) does, reboot, and check if you see the entropy warnings in the log. I'm 99.9% positive you will. You won't get the warnings simply by switching to a resolver that supports DNSSEC and restarting dnscrypt-proxy because a couple minutes after boot, the entropy pool reaches a very healthy level and maintains it. The entropy level would have dropped slightly when you changed to a resolver that supports DNSSEC and restarted dnscrypt-proxy, but not to a level below 1000 to trigger the warning.
The warnings only occur once upon boot, because on boot, the entropy pool is low (<1000, around 800). After a few minutes, it rises and maintains a very healthy level (>>>1000, around 3400). So at that time, dnscrypt will automatically try loading again and succeed. Entropy level should always be >1000 for proper functioning of all packages.
However, to get a larger entropy pool on boot and get rid of the warning messages, you can simply install the package haveged. No configuration is required at all. This will get you an entropy of around 2000 on boot, eliminating the warning messages, and allow dnscrypt to load on it's first try. Then, the entropy will still rise normally using the default methods to around 3400 after a couple minutes (actually it maintains a constant level of 3413 for me, regardless if you have haveged installed or not. Of course if you do something that requires entropy, such as generating a encrypted key using openssh, it will drop some for a minute or so. But because it maintains such a very healthy level of 3413, I can't imagine it dropping below 1000 under any circumstance). Haveged simply puts more entropy into the pool on boot before the kernel can get entropy from it's regular sources (I believe the kernel draws entropy from the wifi driver, amongst other things).
You can easily observe the entropy level at any time by running the command:
cat /proc/sys/kernel/random/entropy_avail
I had never noticed this before, because up until a week or two ago, I had been using 'cisco' as my resolver, which doesn't support DNSSEC. Apparently DNSSEC makes dnscrypt require more entropy to generate the additional encryption keys needed.
(Last edited by starcms on 31 May 2017, 05:56)