606N/A - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC") 8N/A - This Source Code Form is subject to the terms of the Mozilla Public 8N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 8N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8N/A<
title>isc-hmac-fixup</
title>
8N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
8N/A<
link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
8N/A<
div class="navheader">
8N/A<
table width="100%" summary="Navigation header">
8N/A<
tr><
th colspan="3" align="center"><
span class="application">isc-hmac-fixup</
span></
th></
tr>
8N/A<
td width="20%" align="left">
8N/A<
th width="60%" align="center">Manual pages</
th>
8N/A<
div class="refentry">
705N/A <
div class="refnamediv">
606N/A <
span class="application">isc-hmac-fixup</
span>
606N/A — fixes HMAC keys generated by older versions of BIND
606N/A <
div class="refsynopsisdiv">
606N/A <
div class="cmdsynopsis"><
p>
606N/A <
code class="command">isc-hmac-fixup</
code>
606N/A {<
em class="replaceable"><
code>algorithm</
code></
em>}
606N/A {<
em class="replaceable"><
code>secret</
code></
em>}
606N/A <
div class="refsection">
606N/A<
a name="id-1.14.34.7"></
a><
h2>DESCRIPTION</
h2>
606N/A Versions of BIND 9 up to and including BIND 9.6 had a bug causing
606N/A HMAC-SHA* TSIG keys which were longer than the digest length of the
606N/A hash algorithm (
i.e., SHA1 keys longer than 160 bits, SHA256 keys
98N/A longer than 256 bits, etc) to be used incorrectly, generating a
156N/A message authentication code that was incompatible with other DNS
747N/A This bug was fixed in BIND 9.7. However, the fix may
747N/A cause incompatibility between older and newer versions of
747N/A BIND, when using long keys. <
span class="command"><
strong>isc-hmac-fixup</
strong></
span>
8N/A modifies those keys to restore compatibility.
8N/A To modify a key, run <
span class="command"><
strong>isc-hmac-fixup</
strong></
span> and
493N/A specify the key's algorithm and secret on the command line. If the
493N/A secret is longer than the digest length of the algorithm (64 bytes
380N/A for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
493N/A new secret will be generated consisting of a hash digest of the old
493N/A secret. (If the secret did not require conversion, then it will be
493N/A printed without modification.)
<
a name="id-1.14.34.8"></
a><
h2>SECURITY CONSIDERATIONS</
h2>
Secrets that have been converted by <
span class="command"><
strong>isc-hmac-fixup</
strong></
span>
are shortened, but as this is how the HMAC protocol works in
operation anyway, it does not affect security. RFC 2104 notes,
"Keys longer than [the digest length] are acceptable but the
extra length would not significantly increase the function
<
a name="id-1.14.34.9"></
a><
h2>SEE ALSO</
h2>
<
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
<
em class="citetitle">RFC 2104</
em>.
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center"><
a accesskey="u" href="Bv9ARM.ch13.html">Up</
a></
td>
<
td width="40%" align="left" valign="top">
<
span class="application">genrandom</
span>�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�<
span class="application">nsec3hash</
span>