On 10.12.2015 16:05, Günther J. Niederwimmer wrote: > Am Thursday 10 December 2015, 12:51:19 schrieb Petr Spacek: >> On 9.12.2015 14:40, Günther J. Niederwimmer wrote: >>> Hello, >>> >>> I like to create a NSEC3PARAM Record but my tests are not working :-(. >>> >>> Is there a documentation for this Problem I can't found a DOCU >>> >>> My test is >>> >>> I make a "Salt" with this >>> >>> head -c 512 /dev/random | sha1sum | cut -b 1-16 >>> xxxxxxxxxxxxx... >>> >>> afterward i make with >>> ldns-nsec3-hash -t 10 -s xxxxxxxxxxxxxxxxxx xxxxx.com >>> xxxxx..... >>> >>> the result i like to insert in the WebUI but this is wrong ? >>> >>> What is the correct syntax to create a NSEC3PARAM record? >>> >>> Thanks for a answer, >> >> Hello, >> >> FreeIPA just passes the value to BIND, so standard syntax per >> http://tools.ietf.org/html/rfc5155#section-4.3 >> should work. >> >> I hope this helps. > ;-) > > I am not a Mathematic Professor to understand this ;-) > > OK, I have to search again in World Wide Web to find a answer.
NSEC3PARAM is a security parameter so you need to do more reading about it before you can do informed decision and pick right parameters for your use-case. If you do not want to spend more time on this just let NSEC in place and be done with it. Improperly configured NSEC3 ("improper" for your purposes) will give only false sense of security. You can read relevant chapters in DNSSEC guide here: http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html I hope this helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project