[Freeipa-users] FreeIPA DNSSEC NSEC3PARAM record
Petr Spacek
pspacek at redhat.com
Mon Dec 14 08:51:12 UTC 2015
On 10.12.2015 16:05, Günther J. Niederwimmer wrote:
> Am Thursday 10 December 2015, 12:51:19 schrieb Petr Spacek:
>> On 9.12.2015 14:40, Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> I like to create a NSEC3PARAM Record but my tests are not working :-(.
>>>
>>> Is there a documentation for this Problem I can't found a DOCU
>>>
>>> My test is
>>>
>>> I make a "Salt" with this
>>>
>>> head -c 512 /dev/random | sha1sum | cut -b 1-16
>>> xxxxxxxxxxxxx...
>>>
>>> afterward i make with
>>> ldns-nsec3-hash -t 10 -s xxxxxxxxxxxxxxxxxx xxxxx.com
>>> xxxxx.....
>>>
>>> the result i like to insert in the WebUI but this is wrong ?
>>>
>>> What is the correct syntax to create a NSEC3PARAM record?
>>>
>>> Thanks for a answer,
>>
>> Hello,
>>
>> FreeIPA just passes the value to BIND, so standard syntax per
>> http://tools.ietf.org/html/rfc5155#section-4.3
>> should work.
>>
>> I hope this helps.
> ;-)
>
> I am not a Mathematic Professor to understand this ;-)
>
> OK, I have to search again in World Wide Web to find a answer.
NSEC3PARAM is a security parameter so you need to do more reading about it
before you can do informed decision and pick right parameters for your use-case.
If you do not want to spend more time on this just let NSEC in place and be
done with it. Improperly configured NSEC3 ("improper" for your purposes) will
give only false sense of security.
You can read relevant chapters in DNSSEC guide here:
http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html
I hope this helps.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list