[Freeipa-users] DNSSEC NSEC3 Parameter
Günther J. Niederwimmer
gjn at gjn.priv.at
Mon May 16 11:44:13 UTC 2016
Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek:
> On 16.5.2016 08:47, Martin Kosek wrote:
> > On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote:
> >> Hello,
> >>
> >> Thanks for answer,
> >>
> >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek:
> >>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote:
> >>>> Hello,
> >>>> I have the Problem to find the correct way for NSEC3PARAM ?
> >>>>
> >>>> With your Help I have this found
> >>>>
> >>>> ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags>
> >>>> <iterations> <salt>"
> >>>>
> >>>> But it dos not work correct ?
> >>>>
> >>>> Now the question, is this the correct way
> >>>>
> >>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
> >>>> f9ba6264232b7283"
> >>>>
> >>>> to insert the NSEC3PARAMETER ??
> >>>
> >>> This should be right, there were related fixes by
> >>> https://fedorahosted.org/freeipa/ticket/4413
> >>>
> >>> Your second command works in my test environment:
> >>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
> >>> f9ba6264232b7283"
> >>> # dig -t nsec3param example.com. +short
> >>> 1 7 100 F9BA6264232B7283
> >>
> >> The question is now, I mean the <flags> Parameter is wrong ?
> >>
> >> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation
> >> (bind 9)
> >>
> >> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
> >> -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE
> >>
> >> and a
> >>
> >> dig -t nsec3param example.com. +short
> >>
> >> the relult is
> >>
> >> 1 0 10 ............
> >>
> >> 1 is sha1
> >> so I mean (?) "0" is the correct parameter ?.
> >> "10" is the default for Bind
> >>
> >> so I hope this is working now correct
> >>
> >> Thanks for testing and answer
> >
> > Ahh, now I understand what you were asking about. The validators we have
> > in DNS records are only limited, mostly to check that you are entering
> > the right number of fields or that the data type is OK. They usually do
> > not do any more complex evaluation. I would let Petr Spacek say if we
> > need to change anything in FreeIPA in this case.
>
> Looking at
> https://tools.ietf.org/html/rfc5155#section-4
> http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet
> ers.xhtml#dnssec-nsec3-parameters-2
Petr, I read this all, but I mean I read it wrong ;-)
A nicer way to implement this, is a automatic configuration only with a button
:-)).
Thanks for the Help,
> The only valid value for NSEC3PARAM flags is 0 (at the moment, this might
> change in future).
More information about the Freeipa-users
mailing list