250N/A - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC") 250N/A - This Source Code Form is subject to the terms of the Mozilla Public 250N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 250N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
250N/A<
title>isc-hmac-fixup</
title>
250N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
250N/A<
link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
250N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
3996N/A<
table width="100%" summary="Navigation header">
250N/A<
tr><
th colspan="3" align="center"><
span class="application">isc-hmac-fixup</
span></
th></
tr>
250N/A<
td width="20%" align="left">
250N/A<
th width="60%" align="center">Manual pages</
th>
3996N/A<
p><
span class="application">isc-hmac-fixup</
span> — fixes HMAC keys generated by older versions of BIND</
p>
3996N/A<
div class="refsynopsisdiv">
250N/A<
div class="cmdsynopsis"><
p><
code class="command">isc-hmac-fixup</
code> {<
em class="replaceable"><
code>algorithm</
code></
em>} {<
em class="replaceable"><
code>secret</
code></
em>}</
p></
div>
250N/A<
div class="refsection">
250N/A<
a name="id-1.14.34.7"></
a><
h2>DESCRIPTION</
h2>
250N/A Versions of BIND 9 up to and including BIND 9.6 had a bug causing
250N/A HMAC-SHA* TSIG keys which were longer than the digest length of the
250N/A hash algorithm (
i.e., SHA1 keys longer than 160 bits, SHA256 keys
250N/A longer than 256 bits, etc) to be used incorrectly, generating a
250N/A message authentication code that was incompatible with other DNS
250N/A This bug has been fixed in BIND 9.7. However, the fix may
250N/A cause incompatibility between older and newer versions of
250N/A BIND, when using long keys. <
span class="command"><
strong>isc-hmac-fixup</
strong></
span>
250N/A modifies those keys to restore compatibility.
250N/A To modify a key, run <
span class="command"><
strong>isc-hmac-fixup</
strong></
span> and
250N/A specify the key's algorithm and secret on the command line. If the
250N/A secret is longer than the digest length of the algorithm (64 bytes
250N/A for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
250N/A new secret will be generated consisting of a hash digest of the old
250N/A secret. (If the secret did not require conversion, then it will be
250N/A printed without modification.)
250N/A<
div class="refsection">
250N/A<
a name="id-1.14.34.8"></
a><
h2>SECURITY CONSIDERATIONS</
h2>
250N/A Secrets that have been converted by <
span class="command"><
strong>isc-hmac-fixup</
strong></
span>
250N/A are shortened, but as this is how the HMAC protocol works in
250N/A operation anyway, it does not affect security. RFC 2104 notes,
250N/A "Keys longer than [the digest length] are acceptable but the
250N/A extra length would not significantly increase the function
3996N/A<
a name="id-1.14.34.9"></
a><
h2>SEE ALSO</
h2>
<
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
<
em class="citetitle">RFC 2104</
em>.
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center"><
a accesskey="u" href="Bv9ARM.ch13.html">Up</
a></
td>
<
td width="40%" align="left" valign="top">
<
span class="application">genrandom</
span>�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�<
span class="application">nsec3hash</
span>