2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <info>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <date>2013-04-28</date>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </info>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refentryinfo>

c1ebcdad1b4d950eb22219704dd9d64a89d0568fTimo Sirainen <corpname>ISC</corpname>

c1ebcdad1b4d950eb22219704dd9d64a89d0568fTimo Sirainen <corpauthor>Internet Systems Consortium, Inc.</corpauthor>

c1ebcdad1b4d950eb22219704dd9d64a89d0568fTimo Sirainen </refentryinfo>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refmeta>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <manvolnum>8</manvolnum>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refmiscinfo>BIND9</refmiscinfo>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </refmeta>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refnamediv>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refname><application>isc-hmac-fixup</application></refname>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>

c1ebcdad1b4d950eb22219704dd9d64a89d0568fTimo Sirainen </refnamediv>

c1ebcdad1b4d950eb22219704dd9d64a89d0568fTimo Sirainen

c1ebcdad1b4d950eb22219704dd9d64a89d0568fTimo Sirainen <docinfo>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <copyright>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <year>2010</year>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <year>2013</year>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <year>2014</year>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <year>2015</year>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <year>2016</year>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <year>2017</year>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <holder>Internet Systems Consortium, Inc. ("ISC")</holder>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </copyright>

d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen </docinfo>

d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refsynopsisdiv>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <cmdsynopsis sepchar=" ">

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <command>isc-hmac-fixup</command>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </cmdsynopsis>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </refsynopsisdiv>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refsection><info><title>DESCRIPTION</title></info>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen

9398c0935613ba038cf2275ff66c43b25092cfd0Timo Sirainen <para>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen Versions of BIND 9 up to and including BIND 9.6 had a bug causing

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen HMAC-SHA* TSIG keys which were longer than the digest length of the

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen longer than 256 bits, etc) to be used incorrectly, generating a

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen message authentication code that was incompatible with other DNS

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen implementations.

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen </para>

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen <para>

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen This bug was fixed in BIND 9.7. However, the fix may

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen cause incompatibility between older and newer versions of

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen BIND, when using long keys. <command>isc-hmac-fixup</command>

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen modifies those keys to restore compatibility.

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen </para>

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen <para>

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen To modify a key, run <command>isc-hmac-fixup</command> and

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen specify the key's algorithm and secret on the command line. If the

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen secret is longer than the digest length of the algorithm (64 bytes

7569ab8537418b7fc369265f26595b0ef9e4cb35Timo Sirainen for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen new secret will be generated consisting of a hash digest of the old

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen secret. (If the secret did not require conversion, then it will be

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen printed without modification.)

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </para>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </refsection>

4376643cd2c7110e752c09f838f2c4eee6ed8ac6Timo Sirainen

4376643cd2c7110e752c09f838f2c4eee6ed8ac6Timo Sirainen <refsection><info><title>SECURITY CONSIDERATIONS</title></info>

4376643cd2c7110e752c09f838f2c4eee6ed8ac6Timo Sirainen

4376643cd2c7110e752c09f838f2c4eee6ed8ac6Timo Sirainen <para>

4376643cd2c7110e752c09f838f2c4eee6ed8ac6Timo Sirainen Secrets that have been converted by <command>isc-hmac-fixup</command>

4376643cd2c7110e752c09f838f2c4eee6ed8ac6Timo Sirainen are shortened, but as this is how the HMAC protocol works in

4376643cd2c7110e752c09f838f2c4eee6ed8ac6Timo Sirainen operation anyway, it does not affect security. RFC 2104 notes,

4376643cd2c7110e752c09f838f2c4eee6ed8ac6Timo Sirainen "Keys longer than [the digest length] are acceptable but the

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen extra length would not significantly increase the function

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen strength."

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </para>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </refsection>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <refsection><info><title>SEE ALSO</title></info>

47bb4a7615c85f212f061499f04f121d6d625387Timo Sirainen

47bb4a7615c85f212f061499f04f121d6d625387Timo Sirainen <para>

47bb4a7615c85f212f061499f04f121d6d625387Timo Sirainen <citetitle>BIND 9 Administrator Reference Manual</citetitle>,

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen <citetitle>RFC 2104</citetitle>.

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </para>

2e29e4797a48d78d669821722bdb54fd0a1d3b94Timo Sirainen </refsection>

fc8d5f0ac909cca77840538e8beef98a8d40c21cTimo Sirainen

fc8d5f0ac909cca77840538e8beef98a8d40c21cTimo Sirainen</refentry>

fc8d5f0ac909cca77840538e8beef98a8d40c21cTimo Sirainen