235N/A<!
DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 235N/A [<!ENTITY mdash "—">]>
235N/A - Copyright (C) 2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") 235N/A - Permission to use, copy, modify, and/or distribute this software for any 235N/A - purpose with or without fee is hereby granted, provided that the above 235N/A - copyright notice and this permission notice appear in all copies. 235N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 235N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 235N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 235N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 235N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 235N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 235N/A - PERFORMANCE OF THIS SOFTWARE. 235N/A <
date>April 28, 2013</
date>
235N/A <
refentrytitle><
application>isc-hmac-fixup</
application></
refentrytitle>
235N/A <
manvolnum>8</
manvolnum>
235N/A <
refmiscinfo>BIND9</
refmiscinfo>
235N/A <
refname><
application>isc-hmac-fixup</
application></
refname>
235N/A <
refpurpose>fixes HMAC keys generated by older versions of BIND</
refpurpose>
235N/A <
holder>Internet Systems Consortium, Inc. ("ISC")</
holder>
235N/A <
command>isc-hmac-fixup</
command>
235N/A <
arg choice="req"><
replaceable class="parameter">algorithm</
replaceable></
arg>
235N/A <
arg choice="req"><
replaceable class="parameter">secret</
replaceable></
arg>
235N/A <
title>DESCRIPTION</
title>
235N/A Versions of BIND 9 up to and including BIND 9.6 had a bug causing
235N/A HMAC-SHA* TSIG keys which were longer than the digest length of the
235N/A hash algorithm (
i.e., SHA1 keys longer than 160 bits, SHA256 keys
235N/A longer than 256 bits, etc) to be used incorrectly, generating a
235N/A message authentication code that was incompatible with other DNS
235N/A This bug has been fixed in BIND 9.7. However, the fix may
235N/A cause incompatibility between older and newer versions of
235N/A BIND, when using long keys. <
command>isc-hmac-fixup</
command>
235N/A modifies those keys to restore compatibility.
235N/A To modify a key, run <
command>isc-hmac-fixup</
command> and
235N/A specify the key's algorithm and secret on the command line. If the
235N/A secret is longer than the digest length of the algorithm (64 bytes
235N/A for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
235N/A new secret will be generated consisting of a hash digest of the old
235N/A secret. (If the secret did not require conversion, then it will be
235N/A printed without modification.)
235N/A <
title>SECURITY CONSIDERATIONS</
title>
261N/A Secrets that have been converted by <
command>isc-hmac-fixup</
command>
261N/A are shortened, but as this is how the HMAC protocol works in
235N/A operation anyway, it does not affect security. RFC 2104 notes,
235N/A "Keys longer than [the digest length] are acceptable but the
247N/A extra length would not significantly increase the function
235N/A <
title>SEE ALSO</
title>
241N/A <
citetitle>BIND 9 Administrator Reference Manual</
citetitle>,
241N/A <
citetitle>RFC 2104</
citetitle>.
235N/A <
para><
corpauthor>Internet Systems Consortium</
corpauthor>