5097N/A - Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC") 5097N/A - Permission to use, copy, modify, and/or distribute this software for any 5097N/A - purpose with or without fee is hereby granted, provided that the above 5097N/A - copyright notice and this permission notice appear in all copies. 5097N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 5097N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 5097N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 5097N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 5097N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 5097N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 5097N/A - PERFORMANCE OF THIS SOFTWARE. 5097N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5097N/A<
title>isc-hmac-fixup</
title>
5097N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5097N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><
div class="refentry" lang="en">
5097N/A<
p><
span class="application">isc-hmac-fixup</
span> — fixes HMAC keys generated by older versions of BIND</
p>
5097N/A<
div class="refsynopsisdiv">
5097N/A<
div class="cmdsynopsis"><
p><
code class="command">isc-hmac-fixup</
code> {<
em class="replaceable"><
code>algorithm</
code></
em>} {<
em class="replaceable"><
code>secret</
code></
em>}</
p></
div>
5097N/A<
div class="refsect1" lang="en">
5097N/A<
a name="id2543355"></
a><
h2>DESCRIPTION</
h2>
5097N/A Versions of BIND 9 up to and including BIND 9.6 had a bug causing
5097N/A HMAC-SHA* TSIG keys which were longer than the digest length of the
5097N/A hash algorithm (
i.e., SHA1 keys longer than 160 bits, SHA256 keys
5097N/A longer than 256 bits, etc) to be used incorrectly, generating a
5097N/A message authentication code that was incompatible with other DNS
5097N/A This bug has been fixed in BIND 9.7. However, the fix may
5097N/A cause incompatibility between older and newer versions of
5097N/A BIND, when using long keys. <
span><
strong class="command">isc-hmac-fixup</
strong></
span>
5097N/A modifies those keys to restore compatibility.
5097N/A To modify a key, run <
span><
strong class="command">isc-hmac-fixup</
strong></
span> and
5097N/A specify the key's algorithm and secret on the command line. If the
5097N/A secret is longer than the digest length of the algorithm (64 bytes
5097N/A for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
5097N/A new secret will be generated consisting of a hash digest of the old
5097N/A secret. (If the secret did not require conversion, then it will be
5097N/A printed without modification.)
5097N/A<
div class="refsect1" lang="en">
5097N/A<
a name="id2543379"></
a><
h2>SECURITY CONSIDERATIONS</
h2>
5097N/A Secrets that have been converted by <
span><
strong class="command">isc-hmac-fixup</
strong></
span>
5097N/A are shortened, but as this is how the HMAC protocol works in
5097N/A operation anyway, it does not affect security. RFC 2104 notes,
5097N/A "Keys longer than [the digest length] are acceptable but the
5097N/A extra length would not significantly increase the function
5097N/A<
div class="refsect1" lang="en">
5097N/A<
a name="id2543393"></
a><
h2>SEE ALSO</
h2>
5097N/A <
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
5097N/A <
em class="citetitle">RFC 2104</
em>.
5097N/A<
div class="refsect1" lang="en">
5097N/A<
a name="id2543410"></
a><
h2>AUTHOR</
h2>
5097N/A<
p><
span class="corpauthor">Internet Systems Consortium</
span>