280N/A - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC") 280N/A - This Source Code Form is subject to the terms of the Mozilla Public 280N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 280N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
280N/A<
title>isc-hmac-fixup</
title>
280N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
280N/A<
link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
280N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
280N/A<
table width="100%" summary="Navigation header">
3817N/A<
tr><
th colspan="3" align="center"><
span class="application">isc-hmac-fixup</
span></
th></
tr>
280N/A<
td width="20%" align="left">
1244N/A<
th width="60%" align="center">Manual pages</
th>
844N/A<
div class="refnamediv">
1258N/A<
p><
span class="application">isc-hmac-fixup</
span> — fixes HMAC keys generated by older versions of BIND</
p>
2899N/A<
div class="refsynopsisdiv">
3817N/A<
div class="cmdsynopsis"><
p><
code class="command">isc-hmac-fixup</
code> {<
em class="replaceable"><
code>algorithm</
code></
em>} {<
em class="replaceable"><
code>secret</
code></
em>}</
p></
div>
280N/A<
a name="id-1.14.30.7"></
a><
h2>DESCRIPTION</
h2>
280N/A Versions of BIND 9 up to and including BIND 9.6 had a bug causing
280N/A HMAC-SHA* TSIG keys which were longer than the digest length of the
280N/A hash algorithm (
i.e., SHA1 keys longer than 160 bits, SHA256 keys
280N/A longer than 256 bits, etc) to be used incorrectly, generating a
280N/A message authentication code that was incompatible with other DNS
747N/A This bug has been fixed in BIND 9.7. However, the fix may
747N/A cause incompatibility between older and newer versions of
747N/A BIND, when using long keys. <
span class="command"><
strong>isc-hmac-fixup</
strong></
span>
1021N/A modifies those keys to restore compatibility.
3353N/A To modify a key, run <
span class="command"><
strong>isc-hmac-fixup</
strong></
span> and
3477N/A specify the key's algorithm and secret on the command line. If the
3477N/A secret is longer than the digest length of the algorithm (64 bytes
280N/A for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
280N/A new secret will be generated consisting of a hash digest of the old
280N/A secret. (If the secret did not require conversion, then it will be
280N/A printed without modification.)
280N/A<
div class="refsection">
280N/A<
a name="id-1.14.30.8"></
a><
h2>SECURITY CONSIDERATIONS</
h2>
3817N/A Secrets that have been converted by <
span class="command"><
strong>isc-hmac-fixup</
strong></
span>
3817N/A are shortened, but as this is how the HMAC protocol works in
3817N/A operation anyway, it does not affect security. RFC 2104 notes,
3817N/A "Keys longer than [the digest length] are acceptable but the
3817N/A extra length would not significantly increase the function
<
a name="id-1.14.30.9"></
a><
h2>SEE ALSO</
h2>
<
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
<
em class="citetitle">RFC 2104</
em>.
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center"><
a accesskey="u" href="Bv9ARM.ch13.html">Up</
a></
td>
<
td width="40%" align="left" valign="top">
<
span class="application">genrandom</
span>�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�<
span class="application">nsec3hash</
span>