man.isc-hmac-fixup.html revision 2eeb74d1cf5355dd98f6d507a10086e16bb08c4b
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync - Permission to use, copy, modify, and/or distribute this software for any
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - purpose with or without fee is hereby granted, provided that the above
7eaaa8a4480370b82ef3735994f986f338fb4df2vboxsync - copyright notice and this permission notice appear in all copies.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - PERFORMANCE OF THIS SOFTWARE.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.76.1">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<link rel="prev" href="man.genrandom.html" title="genrandom">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync — fixes HMAC keys generated by older versions of BIND
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync {<em class="replaceable"><code>algorithm</code></em>}
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync Versions of BIND 9 up to and including BIND 9.6 had a bug causing
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync HMAC-SHA* TSIG keys which were longer than the digest length of the
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync longer than 256 bits, etc) to be used incorrectly, generating a
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync message authentication code that was incompatible with other DNS
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync implementations.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync This bug has been fixed in BIND 9.7. However, the fix may
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync cause incompatibility between older and newer versions of
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync BIND, when using long keys. <span class="command"><strong>isc-hmac-fixup</strong></span>
aa4bcf0a4b2db3ac352b56a291d49cb8d4b66d32vboxsync modifies those keys to restore compatibility.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync specify the key's algorithm and secret on the command line. If the
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync secret is longer than the digest length of the algorithm (64 bytes
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync new secret will be generated consisting of a hash digest of the old
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync secret. (If the secret did not require conversion, then it will be
40b7f0c2d3f97e0c6171f34f96ec3e05eea44d72vboxsync printed without modification.)
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync <div class="refsection" title="SECURITY CONSIDERATIONS">
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync<a name="idp80332112"></a><h2>SECURITY CONSIDERATIONS</h2>
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync are shortened, but as this is how the HMAC protocol works in
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync operation anyway, it does not affect security. RFC 2104 notes,
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync "Keys longer than [the digest length] are acceptable but the
a7aa94e0115a73841f34ebbfa00f63fa1904e51fvboxsync extra length would not significantly increase the function
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
d1c36fd86d36726777e3d6f9d040573e0aaf30devboxsync<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
d1c36fd86d36726777e3d6f9d040573e0aaf30devboxsync<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>