[Freeipa-users] DNSSEC NSEC3 Parameter

Petr Spacek pspacek at redhat.com
Mon May 16 11:13:04 UTC 2016 

On 16.5.2016 08:47, Martin Kosek wrote:
> On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote:
>> Hello,
>>
>> Thanks for answer,
>>
>> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek:
>>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote:
>>>> Hello,
>>>> I have the Problem to find the correct way for NSEC3PARAM ?
>>>>
>>>> With your Help I have this found
>>>>
>>>> ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags>
>>>> <iterations> <salt>"
>>>>
>>>> But it dos not work correct ?
>>>>
>>>> Now the question, is this the correct way
>>>>
>>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283"
>>>>
>>>> to insert the NSEC3PARAMETER ??
>>>
>>> This should be right, there were related fixes by
>>> https://fedorahosted.org/freeipa/ticket/4413
>>>
>>> Your second command works in my test environment:
>>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283"
>>> # dig -t nsec3param example.com. +short
>>> 1 7 100 F9BA6264232B7283
>>
>> The question is now, I mean the <flags> Parameter is wrong ?
>>
>> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9)
>>
>> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N 
>> INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE
>>
>> and a
>>
>> dig -t nsec3param example.com. +short 
>>
>> the relult is
>>
>> 1 0 10 ............
>>
>> 1 is sha1 
>> so I mean (?) "0" is the correct parameter ?.
>> "10" is the default for Bind
>>
>> so I hope this is working now correct 
>>
>> Thanks for testing and answer
> 
> Ahh, now I understand what you were asking about. The validators we have in DNS
> records are only limited, mostly to check that you are entering the right
> number of fields or that the data type is OK. They usually do not do any more
> complex evaluation. I would let Petr Spacek say if we need to change anything
> in FreeIPA in this case.

Looking at
https://tools.ietf.org/html/rfc5155#section-4
http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-2

The only valid value for NSEC3PARAM flags is 0 (at the moment, this might
change in future).

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list