isc-hmac-fixup.docbook revision 0c27b3fe77ac1d5094ba3521e8142d9e7973133f
1450N/A<!--
1450N/A - Copyright (C) 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
1450N/A -
1450N/A - This Source Code Form is subject to the terms of the Mozilla Public
1450N/A - License, v. 2.0. If a copy of the MPL was not distributed with this
1450N/A - file, You can obtain one at http://mozilla.org/MPL/2.0/.
1450N/A-->
1450N/A
1450N/A<!-- Converted by db4-upgrade version 1.0 -->
1450N/A<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
1450N/A <info>
1450N/A <date>2013-04-28</date>
1450N/A </info>
1450N/A <refentryinfo>
1450N/A <corpname>ISC</corpname>
1450N/A <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
1450N/A </refentryinfo>
1450N/A
1450N/A <refmeta>
1450N/A <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
1450N/A <manvolnum>8</manvolnum>
1450N/A <refmiscinfo>BIND9</refmiscinfo>
1450N/A </refmeta>
1450N/A
1450N/A <refnamediv>
1450N/A <refname><application>isc-hmac-fixup</application></refname>
1450N/A <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
1450N/A </refnamediv>
1450N/A
1450N/A <docinfo>
1450N/A <copyright>
1450N/A <year>2010</year>
1450N/A <year>2013</year>
1450N/A <year>2014</year>
1450N/A <year>2015</year>
1450N/A <year>2016</year>
1450N/A <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
1450N/A </copyright>
1450N/A </docinfo>
1450N/A
1450N/A <refsynopsisdiv>
1450N/A <cmdsynopsis sepchar=" ">
1450N/A <command>isc-hmac-fixup</command>
1450N/A <arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>
1450N/A <arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg>
1450N/A </cmdsynopsis>
1450N/A </refsynopsisdiv>
1450N/A
1450N/A <refsection><info><title>DESCRIPTION</title></info>
1450N/A
1450N/A <para>
1450N/A Versions of BIND 9 up to and including BIND 9.6 had a bug causing
1450N/A HMAC-SHA* TSIG keys which were longer than the digest length of the
1450N/A hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
1450N/A longer than 256 bits, etc) to be used incorrectly, generating a
1450N/A message authentication code that was incompatible with other DNS
1450N/A implementations.
1450N/A </para>
1450N/A <para>
1450N/A This bug has been fixed in BIND 9.7. However, the fix may
1450N/A cause incompatibility between older and newer versions of
1450N/A BIND, when using long keys. <command>isc-hmac-fixup</command>
1450N/A modifies those keys to restore compatibility.
1450N/A </para>
1450N/A <para>
1450N/A To modify a key, run <command>isc-hmac-fixup</command> and
1450N/A specify the key's algorithm and secret on the command line. If the
1450N/A secret is longer than the digest length of the algorithm (64 bytes
1450N/A for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
1450N/A new secret will be generated consisting of a hash digest of the old
1450N/A secret. (If the secret did not require conversion, then it will be
1450N/A printed without modification.)
1450N/A </para>
1450N/A </refsection>
1450N/A
1450N/A <refsection><info><title>SECURITY CONSIDERATIONS</title></info>
1450N/A
1450N/A <para>
1450N/A Secrets that have been converted by <command>isc-hmac-fixup</command>
1450N/A are shortened, but as this is how the HMAC protocol works in
1450N/A operation anyway, it does not affect security. RFC 2104 notes,
1450N/A "Keys longer than [the digest length] are acceptable but the
1450N/A extra length would not significantly increase the function
1450N/A strength."
1450N/A </para>
1450N/A </refsection>
1450N/A
1450N/A <refsection><info><title>SEE ALSO</title></info>
1450N/A
1450N/A <para>
1450N/A <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
1450N/A <citetitle>RFC 2104</citetitle>.
1450N/A </para>
1450N/A </refsection>
1450N/A
1450N/A</refentry>
1450N/A