bin/tools/isc-hmac-fixup.html

	isc-hmac-fixup.html revision 5347c0fcb04eaea19d9f39795646239f487c6207
2N/A<!--
2N/A - Copyright (C) 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
2N/A -
2N/A - This Source Code Form is subject to the terms of the Mozilla Public
2N/A - License, v. 2.0. If a copy of the MPL was not distributed with this
2N/A - file, You can obtain one at http://mozilla.org/MPL/2.0/.
2N/A-->
2N/A<html>
2N/A<head>
2N/A<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2N/A<title>isc-hmac-fixup</title>
2N/A<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
2N/A</head>
2N/A<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
2N/A<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
2N/A<div class="refnamediv">
2N/A<h2>Name</h2>
2N/A<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
2N/A</div>
2N/A<div class="refsynopsisdiv">
2N/A<h2>Synopsis</h2>
2N/A<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
2N/A</div>
2N/A<div class="refsection">
2N/A<a name="id-1.7"></a><h2>DESCRIPTION</h2>
2N/A<p>
2N/A      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
2N/A      HMAC-SHA* TSIG keys which were longer than the digest length of the
2N/A      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
2N/A      longer than 256 bits, etc) to be used incorrectly, generating a
2N/A      message authentication code that was incompatible with other DNS
2N/A      implementations.
2N/A    </p>
2N/A<p>
2N/A      This bug has been fixed in BIND 9.7.  However, the fix may
2N/A      cause incompatibility between older and newer versions of
2N/A      BIND, when using long keys.  <span class="command"><strong>isc-hmac-fixup</strong></span>
2N/A      modifies those keys to restore compatibility.
2N/A    </p>
2N/A<p>
2N/A      To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
2N/A      specify the key's algorithm and secret on the command line.  If the
2N/A      secret is longer than the digest length of the algorithm (64 bytes
2N/A      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
2N/A      new secret will be generated consisting of a hash digest of the old
2N/A      secret.  (If the secret did not require conversion, then it will be
2N/A      printed without modification.)
2N/A    </p>
2N/A</div>
2N/A<div class="refsection">
2N/A<a name="id-1.8"></a><h2>SECURITY CONSIDERATIONS</h2>
2N/A<p>
2N/A      Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
2N/A      are shortened, but as this is how the HMAC protocol works in
2N/A      operation anyway, it does not affect security.  RFC 2104 notes,
2N/A      "Keys longer than [the digest length] are acceptable but the
2N/A      extra length would not significantly increase the function
2N/A      strength."
2N/A    </p>
2N/A</div>
2N/A<div class="refsection">
2N/A<a name="id-1.9"></a><h2>SEE ALSO</h2>
2N/A<p>
2N/A      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2N/A      <em class="citetitle">RFC 2104</em>.
2N/A    </p>
2N/A</div>
2N/A</div></body>
2N/A</html>
2N/A