Re: [Freeipa-users] DNSSEC NSEC3 Parameter
On 16.05.2016 13:44, Günther J. Niederwimmer wrote: Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek: On 16.5.2016 08:47, Martin Kosek wrote: On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: Hello, Thanks for answer, Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: Hello, I have the Problem to find the correct way for NSEC3PARAM ? With your Help I have this found ipa dnszone-mod example.com. --nsec3param-rec " " But it dos not work correct ? Now the question, is this the correct way ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" to insert the NSEC3PARAMETER ?? This should be right, there were related fixes by https://fedorahosted.org/freeipa/ticket/4413 Your second command works in my test environment: # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" # dig -t nsec3param example.com. +short 1 7 100 F9BA6264232B7283 The question is now, I mean the Parameter is wrong ? I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE and a dig -t nsec3param example.com. +short the relult is 1 0 10 1 is sha1 so I mean (?) "0" is the correct parameter ?. "10" is the default for Bind so I hope this is working now correct Thanks for testing and answer Ahh, now I understand what you were asking about. The validators we have in DNS records are only limited, mostly to check that you are entering the right number of fields or that the data type is OK. They usually do not do any more complex evaluation. I would let Petr Spacek say if we need to change anything in FreeIPA in this case. Looking at https://tools.ietf.org/html/rfc5155#section-4 http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet ers.xhtml#dnssec-nsec3-parameters-2 Petr, I read this all, but I mean I read it wrong ;-) A nicer way to implement this, is a automatic configuration only with a button :-)). Thanks for the Help, Hello, can you please file a RFE ticket? https://fedorahosted.org/freeipa/newticket And would be nice to provide what kind of default values are suitable for it in that ticket. Martin The only valid value for NSEC3PARAM flags is 0 (at the moment, this might change in future). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC NSEC3 Parameter
Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek: > On 16.5.2016 08:47, Martin Kosek wrote: > > On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: > >> Hello, > >> > >> Thanks for answer, > >> > >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > >>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > Hello, > I have the Problem to find the correct way for NSEC3PARAM ? > > With your Help I have this found > > ipa dnszone-mod example.com. --nsec3param-rec " > " > > But it dos not work correct ? > > Now the question, is this the correct way > > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 > f9ba6264232b7283" > > to insert the NSEC3PARAMETER ?? > >>> > >>> This should be right, there were related fixes by > >>> https://fedorahosted.org/freeipa/ticket/4413 > >>> > >>> Your second command works in my test environment: > >>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 > >>> f9ba6264232b7283" > >>> # dig -t nsec3param example.com. +short > >>> 1 7 100 F9BA6264232B7283 > >> > >> The question is now, I mean the Parameter is wrong ? > >> > >> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation > >> (bind 9) > >> > >> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) > >> -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE > >> > >> and a > >> > >> dig -t nsec3param example.com. +short > >> > >> the relult is > >> > >> 1 0 10 > >> > >> 1 is sha1 > >> so I mean (?) "0" is the correct parameter ?. > >> "10" is the default for Bind > >> > >> so I hope this is working now correct > >> > >> Thanks for testing and answer > > > > Ahh, now I understand what you were asking about. The validators we have > > in DNS records are only limited, mostly to check that you are entering > > the right number of fields or that the data type is OK. They usually do > > not do any more complex evaluation. I would let Petr Spacek say if we > > need to change anything in FreeIPA in this case. > > Looking at > https://tools.ietf.org/html/rfc5155#section-4 > http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet > ers.xhtml#dnssec-nsec3-parameters-2 Petr, I read this all, but I mean I read it wrong ;-) A nicer way to implement this, is a automatic configuration only with a button :-)). Thanks for the Help, > The only valid value for NSEC3PARAM flags is 0 (at the moment, this might > change in future). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC NSEC3 Parameter
On 16.5.2016 08:47, Martin Kosek wrote: > On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: >> Hello, >> >> Thanks for answer, >> >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: Hello, I have the Problem to find the correct way for NSEC3PARAM ? With your Help I have this found ipa dnszone-mod example.com. --nsec3param-rec " " But it dos not work correct ? Now the question, is this the correct way ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" to insert the NSEC3PARAMETER ?? >>> >>> This should be right, there were related fixes by >>> https://fedorahosted.org/freeipa/ticket/4413 >>> >>> Your second command works in my test environment: >>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >>> # dig -t nsec3param example.com. +short >>> 1 7 100 F9BA6264232B7283 >> >> The question is now, I mean the Parameter is wrong ? >> >> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind >> 9) >> >> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N >> INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE >> >> and a >> >> dig -t nsec3param example.com. +short >> >> the relult is >> >> 1 0 10 >> >> 1 is sha1 >> so I mean (?) "0" is the correct parameter ?. >> "10" is the default for Bind >> >> so I hope this is working now correct >> >> Thanks for testing and answer > > Ahh, now I understand what you were asking about. The validators we have in > DNS > records are only limited, mostly to check that you are entering the right > number of fields or that the data type is OK. They usually do not do any more > complex evaluation. I would let Petr Spacek say if we need to change anything > in FreeIPA in this case. Looking at https://tools.ietf.org/html/rfc5155#section-4 http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-2 The only valid value for NSEC3PARAM flags is 0 (at the moment, this might change in future). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC NSEC3 Parameter
On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: > Hello, > > Thanks for answer, > > Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: >>> Hello, >>> I have the Problem to find the correct way for NSEC3PARAM ? >>> >>> With your Help I have this found >>> >>> ipa dnszone-mod example.com. --nsec3param-rec " >>> " >>> >>> But it dos not work correct ? >>> >>> Now the question, is this the correct way >>> >>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >>> >>> to insert the NSEC3PARAMETER ?? >> >> This should be right, there were related fixes by >> https://fedorahosted.org/freeipa/ticket/4413 >> >> Your second command works in my test environment: >> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >> # dig -t nsec3param example.com. +short >> 1 7 100 F9BA6264232B7283 > > The question is now, I mean the Parameter is wrong ? > > I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) > > dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N > INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE > > and a > > dig -t nsec3param example.com. +short > > the relult is > > 1 0 10 > > 1 is sha1 > so I mean (?) "0" is the correct parameter ?. > "10" is the default for Bind > > so I hope this is working now correct > > Thanks for testing and answer Ahh, now I understand what you were asking about. The validators we have in DNS records are only limited, mostly to check that you are entering the right number of fields or that the data type is OK. They usually do not do any more complex evaluation. I would let Petr Spacek say if we need to change anything in FreeIPA in this case. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC NSEC3 Parameter
Hello, Thanks for answer, Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > > Hello, > > I have the Problem to find the correct way for NSEC3PARAM ? > > > > With your Help I have this found > > > > ipa dnszone-mod example.com. --nsec3param-rec " > > " > > > > But it dos not work correct ? > > > > Now the question, is this the correct way > > > > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > > > > to insert the NSEC3PARAMETER ?? > > This should be right, there were related fixes by > https://fedorahosted.org/freeipa/ticket/4413 > > Your second command works in my test environment: > # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > # dig -t nsec3param example.com. +short > 1 7 100 F9BA6264232B7283 The question is now, I mean the Parameter is wrong ? I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE and a dig -t nsec3param example.com. +short the relult is 1 0 10 1 is sha1 so I mean (?) "0" is the correct parameter ?. "10" is the default for Bind so I hope this is working now correct Thanks for testing and answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC NSEC3 Parameter
On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > Hello, > I have the Problem to find the correct way for NSEC3PARAM ? > > With your Help I have this found > > ipa dnszone-mod example.com. --nsec3param-rec " > " > > But it dos not work correct ? > > Now the question, is this the correct way > > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > > to insert the NSEC3PARAMETER ?? This should be right, there were related fixes by https://fedorahosted.org/freeipa/ticket/4413 Your second command works in my test environment: # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" # dig -t nsec3param example.com. +short 1 7 100 F9BA6264232B7283 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC NSEC3 Parameter
Hello, I have the Problem to find the correct way for NSEC3PARAM ? With your Help I have this found ipa dnszone-mod example.com. --nsec3param-rec " " But it dos not work correct ? Now the question, is this the correct way ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" to insert the NSEC3PARAMETER ?? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project