isc-hmac-fixup.docbook revision 30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1
447c6ce3ff08073c44f6785d5256271fcb877512wrowe - Copyright (C) 2010, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - Permission to use, copy, modify, and/or distribute this software for any
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - purpose with or without fee is hereby granted, provided that the above
35330e0d79ceb8027223bbb8330a381b1f989d6etrawick - copyright notice and this permission notice appear in all copies.
6f6f4a4bca281779d196acbdd5c017bb90858305trawick - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8dd4618c4709236b4ea297d7250d282e463ce2d8rbb - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
09bd86d0db1114ee23eda0a6eb76ca055877a1cftrawick - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2deb319e6b3de239f45c16a3e9e836d44f1f7108rbb - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
bd929c73ef04789b7183b840d8db6e01d03a4d86rbb - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - PERFORMANCE OF THIS SOFTWARE.
447c6ce3ff08073c44f6785d5256271fcb877512wrowe<!-- Converted by db4-upgrade version 1.0 -->
447c6ce3ff08073c44f6785d5256271fcb877512wrowe<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
b69cf46e5e6190dc3a1fbadc7277bb66fd4c8998gstein <refentryinfo>
b69cf46e5e6190dc3a1fbadc7277bb66fd4c8998gstein <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
b69cf46e5e6190dc3a1fbadc7277bb66fd4c8998gstein </refentryinfo>
225094adcf0dbac3a2f8973de864486ab087ce20rbb <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
bfb62a96023822c56c9120e4ee627d4091cc59c2rbb </refmeta>
35330e0d79ceb8027223bbb8330a381b1f989d6etrawick <refnamediv>
35330e0d79ceb8027223bbb8330a381b1f989d6etrawick <refname><application>isc-hmac-fixup</application></refname>
bfb62a96023822c56c9120e4ee627d4091cc59c2rbb <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </refnamediv>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <copyright>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard </copyright>
10b386767f6c87b45937244371cb751f0b454d16wrowe <refsynopsisdiv>
75960f20f88dad6bc67892c711c429946063d133stoddard <arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>
75960f20f88dad6bc67892c711c429946063d133stoddard <arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg>
75960f20f88dad6bc67892c711c429946063d133stoddard </cmdsynopsis>
75960f20f88dad6bc67892c711c429946063d133stoddard </refsynopsisdiv>
75960f20f88dad6bc67892c711c429946063d133stoddard <refsection><info><title>DESCRIPTION</title></info>
10b386767f6c87b45937244371cb751f0b454d16wrowe Versions of BIND 9 up to and including BIND 9.6 had a bug causing
10b386767f6c87b45937244371cb751f0b454d16wrowe HMAC-SHA* TSIG keys which were longer than the digest length of the
10b386767f6c87b45937244371cb751f0b454d16wrowe hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
10b386767f6c87b45937244371cb751f0b454d16wrowe longer than 256 bits, etc) to be used incorrectly, generating a
10b386767f6c87b45937244371cb751f0b454d16wrowe message authentication code that was incompatible with other DNS
10b386767f6c87b45937244371cb751f0b454d16wrowe implementations.
f6a6245816cd866361da8c576b1f47c7a54b6610fanf This bug has been fixed in BIND 9.7. However, the fix may
f6a6245816cd866361da8c576b1f47c7a54b6610fanf cause incompatibility between older and newer versions of
97b758d0b174d7b7c5a1de1a583f5840ec3fc910trawick BIND, when using long keys. <command>isc-hmac-fixup</command>
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein modifies those keys to restore compatibility.
641cb23141f2238ed09e3b9fa79189225f8a2bcbrbb To modify a key, run <command>isc-hmac-fixup</command> and
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj specify the key's algorithm and secret on the command line. If the
b187d568e1507d75139ebc13ca945b38fc05d55cstoddard secret is longer than the digest length of the algorithm (64 bytes
b187d568e1507d75139ebc13ca945b38fc05d55cstoddard for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
b187d568e1507d75139ebc13ca945b38fc05d55cstoddard new secret will be generated consisting of a hash digest of the old
1c6fb1e726ce22694de0e9a957adb67b929e5d4fstoddard secret. (If the secret did not require conversion, then it will be
1c6fb1e726ce22694de0e9a957adb67b929e5d4fstoddard printed without modification.)
1c6fb1e726ce22694de0e9a957adb67b929e5d4fstoddard </refsection>
8bed76428f56e5c643174a2d6807c3f18016af5cbjh <refsection><info><title>SECURITY CONSIDERATIONS</title></info>
8bed76428f56e5c643174a2d6807c3f18016af5cbjh Secrets that have been converted by <command>isc-hmac-fixup</command>
8bed76428f56e5c643174a2d6807c3f18016af5cbjh are shortened, but as this is how the HMAC protocol works in
cfc020d6d6fc9b31d8945915e65a8787a796eb73stoddard operation anyway, it does not affect security. RFC 2104 notes,
cfc020d6d6fc9b31d8945915e65a8787a796eb73stoddard "Keys longer than [the digest length] are acceptable but the
cfc020d6d6fc9b31d8945915e65a8787a796eb73stoddard extra length would not significantly increase the function
10b386767f6c87b45937244371cb751f0b454d16wrowe </refsection>
10b386767f6c87b45937244371cb751f0b454d16wrowe <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
75960f20f88dad6bc67892c711c429946063d133stoddard </refsection>