bin/tools/isc-hmac-fixup.docbook

	isc-hmac-fixup.docbook revision 83a28ca274521e15086fc39febde507bcc4e145e
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein<!--
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein - Copyright (C) 2010, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein -
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein - This Source Code Form is subject to the terms of the Mozilla Public
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein - License, v. 2.0. If a copy of the MPL was not distributed with this
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein - file, You can obtain one at http://mozilla.org/MPL/2.0/.
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein-->
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein<!-- Converted by db4-upgrade version 1.0 -->
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  <info>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <date>2013-04-28</date>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  </info>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  <refentryinfo>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <corpname>ISC</corpname>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  </refentryinfo>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  <refmeta>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <manvolnum>8</manvolnum>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <refmiscinfo>BIND9</refmiscinfo>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  </refmeta>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  <refnamediv>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <refname><application>isc-hmac-fixup</application></refname>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  </refnamediv>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  <docinfo>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <copyright>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      <year>2010</year>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      <year>2013</year>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      <year>2014</year>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      <year>2015</year>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      <year>2016</year>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    </copyright>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  </docinfo>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  <refsynopsisdiv>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <cmdsynopsis sepchar=" ">
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      <command>isc-hmac-fixup</command>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      <arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      <arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    </cmdsynopsis>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  </refsynopsisdiv>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein  <refsection><info><title>DESCRIPTION</title></info>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein    <para>
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
b0fb330a8581c8bfab5e523084f9f39264a52b12gstein      HMAC-SHA* TSIG keys which were longer than the digest length of the
f4c310fd2555c6faca1f980f00b161eadb089023gstein      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
f4c310fd2555c6faca1f980f00b161eadb089023gstein      longer than 256 bits, etc) to be used incorrectly, generating a
f4c310fd2555c6faca1f980f00b161eadb089023gstein      message authentication code that was incompatible with other DNS
f4c310fd2555c6faca1f980f00b161eadb089023gstein      implementations.
f4c310fd2555c6faca1f980f00b161eadb089023gstein    </para>
f4c310fd2555c6faca1f980f00b161eadb089023gstein    <para>
f4c310fd2555c6faca1f980f00b161eadb089023gstein      This bug has been fixed in BIND 9.7.  However, the fix may
1f6e6566a4ce31a0b95d5400c36d0aaff7a6e94agstein      cause incompatibility between older and newer versions of
f4c310fd2555c6faca1f980f00b161eadb089023gstein      BIND, when using long keys.  <command>isc-hmac-fixup</command>
1a9d922232824a7cc008d4f74e48bd82adf5bdedgstein      modifies those keys to restore compatibility.
1a9d922232824a7cc008d4f74e48bd82adf5bdedgstein    </para>
f5ec9b038bb9db933072ba2c0a8e7bb2a3cedbdagstein    <para>
f4c310fd2555c6faca1f980f00b161eadb089023gstein      To modify a key, run <command>isc-hmac-fixup</command> and
f4c310fd2555c6faca1f980f00b161eadb089023gstein      specify the key's algorithm and secret on the command line.  If the
f4c310fd2555c6faca1f980f00b161eadb089023gstein      secret is longer than the digest length of the algorithm (64 bytes
f4c310fd2555c6faca1f980f00b161eadb089023gstein      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
f4c310fd2555c6faca1f980f00b161eadb089023gstein      new secret will be generated consisting of a hash digest of the old
f4c310fd2555c6faca1f980f00b161eadb089023gstein      secret.  (If the secret did not require conversion, then it will be
f4c310fd2555c6faca1f980f00b161eadb089023gstein      printed without modification.)
f4c310fd2555c6faca1f980f00b161eadb089023gstein    </para>
f4c310fd2555c6faca1f980f00b161eadb089023gstein  </refsection>
f4c310fd2555c6faca1f980f00b161eadb089023gstein
f4c310fd2555c6faca1f980f00b161eadb089023gstein  <refsection><info><title>SECURITY CONSIDERATIONS</title></info>
f4c310fd2555c6faca1f980f00b161eadb089023gstein
f4c310fd2555c6faca1f980f00b161eadb089023gstein    <para>
f4c310fd2555c6faca1f980f00b161eadb089023gstein      Secrets that have been converted by <command>isc-hmac-fixup</command>
f4c310fd2555c6faca1f980f00b161eadb089023gstein      are shortened, but as this is how the HMAC protocol works in
f4c310fd2555c6faca1f980f00b161eadb089023gstein      operation anyway, it does not affect security.  RFC 2104 notes,
f4c310fd2555c6faca1f980f00b161eadb089023gstein      "Keys longer than [the digest length] are acceptable but the
f4c310fd2555c6faca1f980f00b161eadb089023gstein      extra length would not significantly increase the function
f4c310fd2555c6faca1f980f00b161eadb089023gstein      strength."
f4c310fd2555c6faca1f980f00b161eadb089023gstein    </para>
f4c310fd2555c6faca1f980f00b161eadb089023gstein  </refsection>
f4c310fd2555c6faca1f980f00b161eadb089023gstein
f4c310fd2555c6faca1f980f00b161eadb089023gstein  <refsection><info><title>SEE ALSO</title></info>
f4c310fd2555c6faca1f980f00b161eadb089023gstein
f4c310fd2555c6faca1f980f00b161eadb089023gstein    <para>
f4c310fd2555c6faca1f980f00b161eadb089023gstein      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
f4c310fd2555c6faca1f980f00b161eadb089023gstein      <citetitle>RFC 2104</citetitle>.
f4c310fd2555c6faca1f980f00b161eadb089023gstein    </para>
f4c310fd2555c6faca1f980f00b161eadb089023gstein  </refsection>
f4c310fd2555c6faca1f980f00b161eadb089023gstein
f4c310fd2555c6faca1f980f00b161eadb089023gstein</refentry>
f4c310fd2555c6faca1f980f00b161eadb089023gstein