On 16.05.2016 13:44, Günther J. Niederwimmer wrote:
Hello, can you please file a RFE ticket?
Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek:
On 16.5.2016 08:47, Martin Kosek wrote:
On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote:
Thanks for answer,
Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek:
On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote:
I have the Problem to find the correct way for NSEC3PARAM ?
With your Help I have this found
ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags>
But it dos not work correct ?
Now the question, is this the correct way
ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
to insert the NSEC3PARAMETER ??
This should be right, there were related fixes by
Your second command works in my test environment:
# ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
# dig -t nsec3param example.com. +short
1 7 100 F9BA6264232B7283
The question is now, I mean the <flags> Parameter is wrong ?
I make a test without Freeipa on a "normal" DNS (DNSSEC) installation
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
-N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE
dig -t nsec3param example.com. +short
the relult is
1 0 10 ............
1 is sha1
so I mean (?) "0" is the correct parameter ?.
"10" is the default for Bind
so I hope this is working now correct
Thanks for testing and answer
Ahh, now I understand what you were asking about. The validators we have
in DNS records are only limited, mostly to check that you are entering
the right number of fields or that the data type is OK. They usually do
not do any more complex evaluation. I would let Petr Spacek say if we
need to change anything in FreeIPA in this case.
Petr, I read this all, but I mean I read it wrong ;-)
A nicer way to implement this, is a automatic configuration only with a button
Thanks for the Help,
And would be nice to provide what kind of default values are suitable
for it in that ticket.
The only valid value for NSEC3PARAM flags is 0 (at the moment, this might
change in future).
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project