On 16.5.2016 08:47, Martin Kosek wrote: > On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: >> Hello, >> >> Thanks for answer, >> >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: >>>> Hello, >>>> I have the Problem to find the correct way for NSEC3PARAM ? >>>> >>>> With your Help I have this found >>>> >>>> ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags> >>>> <iterations> <salt>" >>>> >>>> But it dos not work correct ? >>>> >>>> Now the question, is this the correct way >>>> >>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >>>> >>>> to insert the NSEC3PARAMETER ?? >>> >>> This should be right, there were related fixes by >>> https://fedorahosted.org/freeipa/ticket/4413 >>> >>> Your second command works in my test environment: >>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >>> # dig -t nsec3param example.com. +short >>> 1 7 100 F9BA6264232B7283 >> >> The question is now, I mean the <flags> Parameter is wrong ? >> >> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind >> 9) >> >> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N >> INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE >> >> and a >> >> dig -t nsec3param example.com. +short >> >> the relult is >> >> 1 0 10 ............ >> >> 1 is sha1 >> so I mean (?) "0" is the correct parameter ?. >> "10" is the default for Bind >> >> so I hope this is working now correct >> >> Thanks for testing and answer > > Ahh, now I understand what you were asking about. The validators we have in > DNS > records are only limited, mostly to check that you are entering the right > number of fields or that the data type is OK. They usually do not do any more > complex evaluation. I would let Petr Spacek say if we need to change anything > in FreeIPA in this case.
Looking at https://tools.ietf.org/html/rfc5155#section-4 http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-2 The only valid value for NSEC3PARAM flags is 0 (at the moment, this might change in future). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
