Hello,

Thanks for answer,

Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek:
> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > I have the Problem to find the correct way for NSEC3PARAM ?
> > 
> > With your Help I have this found
> > 
> > ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags>
> > <iterations> <salt>"
> > 
> > But it dos not work correct ?
> > 
> > Now the question, is this the correct way
> > 
> > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283"
> > 
> > to insert the NSEC3PARAMETER ??
> 
> This should be right, there were related fixes by
> https://fedorahosted.org/freeipa/ticket/4413
> 
> Your second command works in my test environment:
> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283"
> # dig -t nsec3param example.com. +short
> 1 7 100 F9BA6264232B7283

The question is now, I mean the <flags> Parameter is wrong ?

I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9)

dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N 
INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE

and a

dig -t nsec3param example.com. +short 

the relult is

1 0 10 ............

1 is sha1 
so I mean (?) "0" is the correct parameter ?.
"10" is the default for Bind

so I hope this is working now correct 

Thanks for testing and answer

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to