[Freeipa-users] DNSSEC NSEC3 Parameter
Günther J. Niederwimmer
gjn at gjn.priv.at
Sat May 14 17:49:42 UTC 2016
Hello,
Thanks for answer,
Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek:
> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > I have the Problem to find the correct way for NSEC3PARAM ?
> >
> > With your Help I have this found
> >
> > ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags>
> > <iterations> <salt>"
> >
> > But it dos not work correct ?
> >
> > Now the question, is this the correct way
> >
> > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283"
> >
> > to insert the NSEC3PARAMETER ??
>
> This should be right, there were related fixes by
> https://fedorahosted.org/freeipa/ticket/4413
>
> Your second command works in my test environment:
> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283"
> # dig -t nsec3param example.com. +short
> 1 7 100 F9BA6264232B7283
The question is now, I mean the <flags> Parameter is wrong ?
I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9)
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N
INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE
and a
dig -t nsec3param example.com. +short
the relult is
1 0 10 ............
1 is sha1
so I mean (?) "0" is the correct parameter ?.
"10" is the default for Bind
so I hope this is working now correct
Thanks for testing and answer
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
More information about the Freeipa-users
mailing list