d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

32098293b78922a5fbd10906afa28624820d3756Tinderbox User [<!ENTITY mdash "&#8212;">]>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<refentry id="man.isc-hmac-fixup">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refentryinfo>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <date>January 5, 2010</date>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refentryinfo>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refmeta>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <manvolnum>1</manvolnum>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refmiscinfo>BIND9</refmiscinfo>

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </refmeta>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refnamediv>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refname><application>isc-hmac-fixup</application></refname>

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>

0b89eee6167201843c9a46b7e7c63cb1e4e09ba3Tinderbox User </refnamediv>

32098293b78922a5fbd10906afa28624820d3756Tinderbox User

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <docinfo>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <copyright>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <year>2010</year>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </copyright>

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </docinfo>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refsynopsisdiv>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <cmdsynopsis>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <command>isc-hmac-fixup</command>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <arg choice="req"><replaceable class="parameter">secret</replaceable></arg>

010a51c427bfb6ab658fc0056955a1a5b69810beTinderbox User </cmdsynopsis>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User </refsynopsisdiv>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <refsect1>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <title>DESCRIPTION</title>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <para>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Versions of BIND 9 up to and including BIND 9.6 had a bug causing

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein HMAC-SHA* TSIG keys which were longer than the digest length of the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews longer than 256 bits, etc) to be used incorrectly, generating a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein message authentication code that was incompatible with other DNS

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User implementations.

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User </para>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <para>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User This bug has been fixed in BIND 9.7. However, the fix may

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User cause incompatibility between older and newer versions of

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein BIND, when using long keys. <command>isc-hmac-fixup</command>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein modifies those keys to restore compatibility.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </para>

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <para>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To modify a key, run <command>isc-hmac-fixup</command> and

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User specify the key's algorithm and secret on the command line. If the

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User secret is longer than the digest length of the algorithm (64 bytes

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User new secret will be generated consisting of a hash digest of the old

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User secret. (If the secret did not require conversion, then it will be

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein printed without modification.)

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User </para>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User </refsect1>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refsect1>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <title>SECURITY CONSIDERATIONS</title>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <para>

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Secrets that have been converted by <command>isc-hmac-fixup</command>

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt are shortened, but as this is how the HMAC protocol works in

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt operation anyway, it does not affect security. RFC 2104 notes,

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt "Keys longer than [the digest length] are acceptable but the

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User extra length would not significantly increase the function

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User strength."

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </para>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refsect1>

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User <refsect1>

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User <title>SEE ALSO</title>

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User <para>

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User <citetitle>BIND 9 Administrator Reference Manual</citetitle>,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <citetitle>RFC 2104</citetitle>.

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User </para>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User </refsect1>

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refsect1>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <title>AUTHOR</title>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <para><corpauthor>Internet Systems Consortium</corpauthor>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User </para>

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater </refsect1>

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater</refentry><!--

17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User