man.isc-hmac-fixup.html revision 517ae3de96aaf870049c52f1224e38a85fe7f21a
689023771c563d8660e45d439a207e06e96de28fMark Andrews<!--
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater -
689023771c563d8660e45d439a207e06e96de28fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
689023771c563d8660e45d439a207e06e96de28fMark Andrews - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
689023771c563d8660e45d439a207e06e96de28fMark Andrews -
689023771c563d8660e45d439a207e06e96de28fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
689023771c563d8660e45d439a207e06e96de28fMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
689023771c563d8660e45d439a207e06e96de28fMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
689023771c563d8660e45d439a207e06e96de28fMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
689023771c563d8660e45d439a207e06e96de28fMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
689023771c563d8660e45d439a207e06e96de28fMark Andrews - PERFORMANCE OF THIS SOFTWARE.
eea6be913f9928255cab5f58ff27da41c1e8e23aAutomatic Updater-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: man.isc-hmac-fixup.html,v 1.23 2010/12/19 01:14:06 tbox Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<title>isc-hmac-fixup</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.genrandom.html" title="genrandom">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">Manual pages</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refentry" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refnamediv">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Name</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsynopsisdiv">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Synopsis</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater<a name="id2618256"></a><h2>DESCRIPTION</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Versions of BIND 9 up to and including BIND 9.6 had a bug causing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein HMAC-SHA* TSIG keys which were longer than the digest length of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein longer than 256 bits, etc) to be used incorrectly, generating a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein message authentication code that was incompatible with other DNS
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater implementations.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This bug has been fixed in BIND 9.7. However, the fix may
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cause incompatibility between older and newer versions of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein modifies those keys to restore compatibility.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specify the key's algorithm and secret on the command line. If the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein secret is longer than the digest length of the algorithm (64 bytes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein new secret will be generated consisting of a hash digest of the old
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein secret. (If the secret did not require conversion, then it will be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein printed without modification.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2618283"></a><h2>SECURITY CONSIDERATIONS</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are shortened, but as this is how the HMAC protocol works in
00124ad0406365d39f4b2d1011ef6a76706e9df0Mark Andrews operation anyway, it does not affect security. RFC 2104 notes,
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews "Keys longer than [the digest length] are acceptable but the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein extra length would not significantly increase the function
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein strength."
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2649497"></a><h2>SEE ALSO</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="citetitle">RFC 2104</em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2649514"></a><h2>AUTHOR</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="corpauthor">Internet Systems Consortium</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navfooter">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater</td>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater</tr>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater<tr>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater<td width="40%" align="left" valign="top">
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater<span class="application">genrandom</span>�</td>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein