bin/tools/isc-hmac-fixup.docbook

	isc-hmac-fixup.docbook revision 0c27b3fe77ac1d5094ba3521e8142d9e7973133f
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere<!--
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere - Copyright (C) 2010, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere -
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere - This Source Code Form is subject to the terms of the Mozilla Public
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere - License, v. 2.0. If a copy of the MPL was not distributed with this
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere - file, You can obtain one at http://mozilla.org/MPL/2.0/.
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere-->
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere<!-- Converted by db4-upgrade version 1.0 -->
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen  <info>
2e545ce2450a9953665f701bb05350f0d3f26275nd    <date>2013-04-28</date>
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen  </info>
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen  <refentryinfo>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere    <corpname>ISC</corpname>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen  </refentryinfo>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere  <refmeta>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere    <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere    <manvolnum>8</manvolnum>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd    <refmiscinfo>BIND9</refmiscinfo>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere  </refmeta>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere  <refnamediv>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere    <refname><application>isc-hmac-fixup</application></refname>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere    <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
ecc5150d35c0dc5ee5119c2717e6660fa331abbftakashi  </refnamediv>
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere  <docinfo>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere    <copyright>
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor      <year>2010</year>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere      <year>2013</year>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere      <year>2014</year>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere      <year>2015</year>
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd      <year>2016</year>
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere    </copyright>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh  </docinfo>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere  <refsynopsisdiv>
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere    <cmdsynopsis sepchar=" ">
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere      <command>isc-hmac-fixup</command>
ac2a72149b423e2e84596098d7e47af88ebd215asf      <arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor      <arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg>
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor    </cmdsynopsis>
ac2a72149b423e2e84596098d7e47af88ebd215asf  </refsynopsisdiv>
ac2a72149b423e2e84596098d7e47af88ebd215asf
ac2a72149b423e2e84596098d7e47af88ebd215asf  <refsection><info><title>DESCRIPTION</title></info>
ac2a72149b423e2e84596098d7e47af88ebd215asf
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor    <para>
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere      HMAC-SHA* TSIG keys which were longer than the digest length of the
eec3a6d65a733157dc4cf3026abda13dcb90d0cfjfclere      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor      longer than 256 bits, etc) to be used incorrectly, generating a
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor      message authentication code that was incompatible with other DNS
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor      implementations.
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor    </para>
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor    <para>
1a5a0356d04b1772b5a6b77c972774ab68832f81gryzor      This bug has been fixed in BIND 9.7.  However, the fix may
a56ff98d3082c853f69e8de5c3e8bcab2734c0earbowen      cause incompatibility between older and newer versions of
a56ff98d3082c853f69e8de5c3e8bcab2734c0earbowen      BIND, when using long keys.  <command>isc-hmac-fixup</command>
a56ff98d3082c853f69e8de5c3e8bcab2734c0earbowen      modifies those keys to restore compatibility.
a56ff98d3082c853f69e8de5c3e8bcab2734c0earbowen    </para>
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic    <para>
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic      To modify a key, run <command>isc-hmac-fixup</command> and
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic      specify the key's algorithm and secret on the command line.  If the
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic      secret is longer than the digest length of the algorithm (64 bytes
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic      new secret will be generated consisting of a hash digest of the old
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic      secret.  (If the secret did not require conversion, then it will be
a56ff98d3082c853f69e8de5c3e8bcab2734c0earbowen      printed without modification.)
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd    </para>
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd  </refsection>
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd  <refsection><info><title>SECURITY CONSIDERATIONS</title></info>
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd    <para>
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd      Secrets that have been converted by <command>isc-hmac-fixup</command>
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd      are shortened, but as this is how the HMAC protocol works in
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd      operation anyway, it does not affect security.  RFC 2104 notes,
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd      "Keys longer than [the digest length] are acceptable but the
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd      extra length would not significantly increase the function
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd      strength."
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic    </para>
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd  </refsection>
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic  <refsection><info><title>SEE ALSO</title></info>
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic    <para>
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
4044e4b6cb07cf7fa8e90676fafffe543c1d439bjim      <citetitle>RFC 2104</citetitle>.
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic    </para>
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic  </refsection>
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic</refentry>
da81fc93dd9cb59b907544c3f2d47114ce8f5eeaigalic