Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek:
> On 16.5.2016 08:47, Martin Kosek wrote:
> > On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote:
> >> Hello,
> >> 
> >> Thanks for answer,
> >> 
> >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek:
> >>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote:
> >>>> Hello,
> >>>> I have the Problem to find the correct way for NSEC3PARAM ?
> >>>> 
> >>>> With your Help I have this found
> >>>> 
> >>>> ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags>
> >>>> <iterations> <salt>"
> >>>> 
> >>>> But it dos not work correct ?
> >>>> 
> >>>> Now the question, is this the correct way
> >>>> 
> >>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
> >>>> f9ba6264232b7283"
> >>>> 
> >>>> to insert the NSEC3PARAMETER ??
> >>> 
> >>> This should be right, there were related fixes by
> >>> https://fedorahosted.org/freeipa/ticket/4413
> >>> 
> >>> Your second command works in my test environment:
> >>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
> >>> f9ba6264232b7283"
> >>> # dig -t nsec3param example.com. +short
> >>> 1 7 100 F9BA6264232B7283
> >> 
> >> The question is now, I mean the <flags> Parameter is wrong ?
> >> 
> >> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation
> >> (bind 9)
> >> 
> >> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
> >> -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE
> >> 
> >> and a
> >> 
> >> dig -t nsec3param example.com. +short
> >> 
> >> the relult is
> >> 
> >> 1 0 10 ............
> >> 
> >> 1 is sha1
> >> so I mean (?) "0" is the correct parameter ?.
> >> "10" is the default for Bind
> >> 
> >> so I hope this is working now correct
> >> 
> >> Thanks for testing and answer
> > 
> > Ahh, now I understand what you were asking about. The validators we have
> > in DNS records are only limited, mostly to check that you are entering
> > the right number of fields or that the data type is OK. They usually do
> > not do any more complex evaluation. I would let Petr Spacek say if we
> > need to change anything in FreeIPA in this case.
> 
> Looking at
> https://tools.ietf.org/html/rfc5155#section-4
> http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet
> ers.xhtml#dnssec-nsec3-parameters-2

Petr, I read this all, but I mean I read it wrong ;-)

A nicer way to implement this, is a automatic configuration only with a button 
:-)).

Thanks for the Help, 
> The only valid value for NSEC3PARAM flags is 0 (at the moment, this might
> change in future).



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to