676N/A - Copyright (C) 2010, 2013-2015 Internet Systems Consortium, Inc. ("ISC") 676N/A - Permission to use, copy, modify, and/or distribute this software for any 676N/A - purpose with or without fee is hereby granted, provided that the above 676N/A - copyright notice and this permission notice appear in all copies. 676N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 676N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 676N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 676N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 676N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 676N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 676N/A - PERFORMANCE OF THIS SOFTWARE. 676N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
676N/A<
title>isc-hmac-fixup</
title>
676N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.76.1">
676N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><
div class="refentry" title="isc-hmac-fixup">
676N/A <
div class="refnamediv">
676N/A <
span class="application">isc-hmac-fixup</
span>
676N/A — fixes HMAC keys generated by older versions of BIND
676N/A <
div class="refsynopsisdiv" title="Synopsis">
676N/A <
div class="cmdsynopsis"><
p>
676N/A <
code class="command">isc-hmac-fixup</
code>
676N/A {<
em class="replaceable"><
code>algorithm</
code></
em>}
676N/A {<
em class="replaceable"><
code>secret</
code></
em>}
676N/A <
div class="refsection" title="DESCRIPTION">
676N/A<
a name="idp60859856"></
a><
h2>DESCRIPTION</
h2>
676N/A Versions of BIND 9 up to and including BIND 9.6 had a bug causing
676N/A HMAC-SHA* TSIG keys which were longer than the digest length of the
676N/A hash algorithm (
i.e., SHA1 keys longer than 160 bits, SHA256 keys
676N/A longer than 256 bits, etc) to be used incorrectly, generating a
676N/A message authentication code that was incompatible with other DNS
676N/A This bug has been fixed in BIND 9.7. However, the fix may
676N/A cause incompatibility between older and newer versions of
676N/A BIND, when using long keys. <
span class="command"><
strong>isc-hmac-fixup</
strong></
span>
676N/A modifies those keys to restore compatibility.
676N/A To modify a key, run <
span class="command"><
strong>isc-hmac-fixup</
strong></
span> and
676N/A specify the key's algorithm and secret on the command line. If the
676N/A secret is longer than the digest length of the algorithm (64 bytes
676N/A for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
676N/A new secret will be generated consisting of a hash digest of the old
676N/A secret. (If the secret did not require conversion, then it will be
676N/A printed without modification.)
676N/A <
div class="refsection" title="SECURITY CONSIDERATIONS">
676N/A<
a name="idp60862800"></
a><
h2>SECURITY CONSIDERATIONS</
h2>
676N/A Secrets that have been converted by <
span class="command"><
strong>isc-hmac-fixup</
strong></
span>
676N/A are shortened, but as this is how the HMAC protocol works in
676N/A operation anyway, it does not affect security. RFC 2104 notes,
676N/A "Keys longer than [the digest length] are acceptable but the
676N/A extra length would not significantly increase the function
676N/A <
div class="refsection" title="SEE ALSO">
676N/A<
a name="idp60864720"></
a><
h2>SEE ALSO</
h2>
676N/A <
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
676N/A <
em class="citetitle">RFC 2104</
em>.