Hello, Thanks for answer,
Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > > Hello, > > I have the Problem to find the correct way for NSEC3PARAM ? > > > > With your Help I have this found > > > > ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags> > > <iterations> <salt>" > > > > But it dos not work correct ? > > > > Now the question, is this the correct way > > > > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > > > > to insert the NSEC3PARAMETER ?? > > This should be right, there were related fixes by > https://fedorahosted.org/freeipa/ticket/4413 > > Your second command works in my test environment: > # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > # dig -t nsec3param example.com. +short > 1 7 100 F9BA6264232B7283 The question is now, I mean the <flags> Parameter is wrong ? I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE and a dig -t nsec3param example.com. +short the relult is 1 0 10 ............ 1 is sha1 so I mean (?) "0" is the correct parameter ?. "10" is the default for Bind so I hope this is working now correct Thanks for testing and answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
