On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: > Hello, > > Thanks for answer, > > Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: >>> Hello, >>> I have the Problem to find the correct way for NSEC3PARAM ? >>> >>> With your Help I have this found >>> >>> ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags> >>> <iterations> <salt>" >>> >>> But it dos not work correct ? >>> >>> Now the question, is this the correct way >>> >>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >>> >>> to insert the NSEC3PARAMETER ?? >> >> This should be right, there were related fixes by >> https://fedorahosted.org/freeipa/ticket/4413 >> >> Your second command works in my test environment: >> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >> # dig -t nsec3param example.com. +short >> 1 7 100 F9BA6264232B7283 > > The question is now, I mean the <flags> Parameter is wrong ? > > I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) > > dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N > INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE > > and a > > dig -t nsec3param example.com. +short > > the relult is > > 1 0 10 ............ > > 1 is sha1 > so I mean (?) "0" is the correct parameter ?. > "10" is the default for Bind > > so I hope this is working now correct > > Thanks for testing and answer
Ahh, now I understand what you were asking about. The validators we have in DNS records are only limited, mostly to check that you are entering the right number of fields or that the data type is OK. They usually do not do any more complex evaluation. I would let Petr Spacek say if we need to change anything in FreeIPA in this case. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
