[Freeipa-users] DNSSEC NSEC3 Parameter
Martin Basti
mbasti at redhat.com
Mon May 16 13:05:00 UTC 2016
On 16.05.2016 13:44, Günther J. Niederwimmer wrote:
> Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek:
>> On 16.5.2016 08:47, Martin Kosek wrote:
>>> On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote:
>>>> Hello,
>>>>
>>>> Thanks for answer,
>>>>
>>>> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek:
>>>>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote:
>>>>>> Hello,
>>>>>> I have the Problem to find the correct way for NSEC3PARAM ?
>>>>>>
>>>>>> With your Help I have this found
>>>>>>
>>>>>> ipa dnszone-mod example.com. --nsec3param-rec "<hash_algorithm> <flags>
>>>>>> <iterations> <salt>"
>>>>>>
>>>>>> But it dos not work correct ?
>>>>>>
>>>>>> Now the question, is this the correct way
>>>>>>
>>>>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
>>>>>> f9ba6264232b7283"
>>>>>>
>>>>>> to insert the NSEC3PARAMETER ??
>>>>> This should be right, there were related fixes by
>>>>> https://fedorahosted.org/freeipa/ticket/4413
>>>>>
>>>>> Your second command works in my test environment:
>>>>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100
>>>>> f9ba6264232b7283"
>>>>> # dig -t nsec3param example.com. +short
>>>>> 1 7 100 F9BA6264232B7283
>>>> The question is now, I mean the <flags> Parameter is wrong ?
>>>>
>>>> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation
>>>> (bind 9)
>>>>
>>>> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
>>>> -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE
>>>>
>>>> and a
>>>>
>>>> dig -t nsec3param example.com. +short
>>>>
>>>> the relult is
>>>>
>>>> 1 0 10 ............
>>>>
>>>> 1 is sha1
>>>> so I mean (?) "0" is the correct parameter ?.
>>>> "10" is the default for Bind
>>>>
>>>> so I hope this is working now correct
>>>>
>>>> Thanks for testing and answer
>>> Ahh, now I understand what you were asking about. The validators we have
>>> in DNS records are only limited, mostly to check that you are entering
>>> the right number of fields or that the data type is OK. They usually do
>>> not do any more complex evaluation. I would let Petr Spacek say if we
>>> need to change anything in FreeIPA in this case.
>> Looking at
>> https://tools.ietf.org/html/rfc5155#section-4
>> http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet
>> ers.xhtml#dnssec-nsec3-parameters-2
> Petr, I read this all, but I mean I read it wrong ;-)
>
> A nicer way to implement this, is a automatic configuration only with a button
> :-)).
>
> Thanks for the Help,
Hello, can you please file a RFE ticket?
https://fedorahosted.org/freeipa/newticket
And would be nice to provide what kind of default values are suitable
for it in that ticket.
Martin
>> The only valid value for NSEC3PARAM flags is 0 (at the moment, this might
>> change in future).
>
>
More information about the Freeipa-users
mailing list