Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek: > On 16.5.2016 08:47, Martin Kosek wrote: > > On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: > >> Hello, > >> > >> Thanks for answer, > >> > >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > >>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > >>>> Hello, > >>>> I have the Problem to find the correct way for NSEC3PARAM ? > >>>> > >>>> With your Help I have this found > >>>> > >>>> ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags> > >>>> <iterations> <salt>" > >>>> > >>>> But it dos not work correct ? > >>>> > >>>> Now the question, is this the correct way > >>>> > >>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 > >>>> f9ba6264232b7283" > >>>> > >>>> to insert the NSEC3PARAMETER ?? > >>> > >>> This should be right, there were related fixes by > >>> https://fedorahosted.org/freeipa/ticket/4413 > >>> > >>> Your second command works in my test environment: > >>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 > >>> f9ba6264232b7283" > >>> # dig -t nsec3param example.com. +short > >>> 1 7 100 F9BA6264232B7283 > >> > >> The question is now, I mean the <flags> Parameter is wrong ? > >> > >> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation > >> (bind 9) > >> > >> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) > >> -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE > >> > >> and a > >> > >> dig -t nsec3param example.com. +short > >> > >> the relult is > >> > >> 1 0 10 ............ > >> > >> 1 is sha1 > >> so I mean (?) "0" is the correct parameter ?. > >> "10" is the default for Bind > >> > >> so I hope this is working now correct > >> > >> Thanks for testing and answer > > > > Ahh, now I understand what you were asking about. The validators we have > > in DNS records are only limited, mostly to check that you are entering > > the right number of fields or that the data type is OK. They usually do > > not do any more complex evaluation. I would let Petr Spacek say if we > > need to change anything in FreeIPA in this case. > > Looking at > https://tools.ietf.org/html/rfc5155#section-4 > http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet > ers.xhtml#dnssec-nsec3-parameters-2
Petr, I read this all, but I mean I read it wrong ;-) A nicer way to implement this, is a automatic configuration only with a button :-)). Thanks for the Help, > The only valid value for NSEC3PARAM flags is 0 (at the moment, this might > change in future). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
