Re: [Freeipa-users] DNSSEC NSEC3 Parameter

Mon, 16 May 2016 06:19:35 -0700 


On 16.05.2016 13:44, Günther J. Niederwimmer wrote:

Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek:

On 16.5.2016 08:47, Martin Kosek wrote:

On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote:

Hello,

Thanks for answer,

Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek:

On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote:

Hello,
I have the Problem to find the correct way for NSEC3PARAM ?

With your Help I have this found

ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags>
<iterations> <salt>"

But it dos not work correct ?

Now the question, is this the correct way

ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
f9ba6264232b7283"

to insert the NSEC3PARAMETER ??

This should be right, there were related fixes by
https://fedorahosted.org/freeipa/ticket/4413

Your second command works in my test environment:
# ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
f9ba6264232b7283"
# dig -t nsec3param example.com. +short
1 7 100 F9BA6264232B7283

The question is now, I mean the <flags> Parameter is wrong ?

I make a test without Freeipa on a "normal" DNS (DNSSEC) installation
(bind 9)

dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
-N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE

and a

dig -t nsec3param example.com. +short

the relult is

1 0 10 ............

1 is sha1
so I mean (?) "0" is the correct parameter ?.
"10" is the default for Bind

so I hope this is working now correct

Thanks for testing and answer

Ahh, now I understand what you were asking about. The validators we have
in DNS records are only limited, mostly to check that you are entering
the right number of fields or that the data type is OK. They usually do
not do any more complex evaluation. I would let Petr Spacek say if we
need to change anything in FreeIPA in this case.

Looking at
https://tools.ietf.org/html/rfc5155#section-4
http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet
ers.xhtml#dnssec-nsec3-parameters-2

Petr, I read this all, but I mean I read it wrong ;-)

A nicer way to implement this, is a automatic configuration only with a button
:-)).

Thanks for the Help,

Hello, can you please file a RFE ticket? 
https://fedorahosted.org/freeipa/newticket



And would be nice to provide what kind of default values are suitable 
for it in that ticket.


Martin


The only valid value for NSEC3PARAM flags is 0 (at the moment, this might
change in future).





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






















					Reply via email to