man.isc-hmac-fixup.html revision 517ae3de96aaf870049c52f1224e38a85fe7f21a
013e1ddd21f2142a369c9a9a0eeb6c6a0bc3fcf3patrikj - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
e942c741056732f50da2074b36fe59805d370650slive - Copyright (C) 2000-2003 Internet Software Consortium.
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd - Permission to use, copy, modify, and/or distribute this software for any
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd - purpose with or without fee is hereby granted, provided that the above
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding - copyright notice and this permission notice appear in all copies.
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd - PERFORMANCE OF THIS SOFTWARE.
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd<!-- $Id: man.isc-hmac-fixup.html,v 1.23 2010/12/19 01:14:06 tbox Exp $ -->
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
7db9f691a00ead175b03335457ca296a33ddf31bnd<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
5f18f92c1354462df6dc2ba38277a953fa700b13gryzor<link rel="prev" href="man.genrandom.html" title="genrandom">
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
eda63965b78ffeb9384c429c53f4eb5d22c2ca2arbowen<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim<p><span class="application">isc-hmac-fixup</span> — fixes HMAC keys generated by older versions of BIND</p>
f6445f3ad1c82f9398dc8edd77093cd3e20b806cnoirin<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive Versions of BIND 9 up to and including BIND 9.6 had a bug causing
7571ea383299910bead3e93e66246cb212a28d0figalic HMAC-SHA* TSIG keys which were longer than the digest length of the
bc36e90829b1ee123307a2339519265139a88173sf hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
bc36e90829b1ee123307a2339519265139a88173sf longer than 256 bits, etc) to be used incorrectly, generating a
bc36e90829b1ee123307a2339519265139a88173sf message authentication code that was incompatible with other DNS
bc36e90829b1ee123307a2339519265139a88173sf implementations.
bc36e90829b1ee123307a2339519265139a88173sf This bug has been fixed in BIND 9.7. However, the fix may
bc36e90829b1ee123307a2339519265139a88173sf cause incompatibility between older and newer versions of
bc36e90829b1ee123307a2339519265139a88173sf BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
bc36e90829b1ee123307a2339519265139a88173sf modifies those keys to restore compatibility.
bc36e90829b1ee123307a2339519265139a88173sf To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
bc36e90829b1ee123307a2339519265139a88173sf specify the key's algorithm and secret on the command line. If the
bc36e90829b1ee123307a2339519265139a88173sf secret is longer than the digest length of the algorithm (64 bytes
3a257106808eabaefbb483bdc6273e7af062ead8humbedooh for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
4927aa0c58523071e62d47580cec3b1fb1100ae2rbowen new secret will be generated consisting of a hash digest of the old
3a257106808eabaefbb483bdc6273e7af062ead8humbedooh secret. (If the secret did not require conversion, then it will be
bc36e90829b1ee123307a2339519265139a88173sf printed without modification.)
9b3696c7ad70387ecd46e0f061b99d381dc392f9rbowen<a name="id2618283"></a><h2>SECURITY CONSIDERATIONS</h2>
9b3696c7ad70387ecd46e0f061b99d381dc392f9rbowen Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
9b3696c7ad70387ecd46e0f061b99d381dc392f9rbowen are shortened, but as this is how the HMAC protocol works in
9b3696c7ad70387ecd46e0f061b99d381dc392f9rbowen operation anyway, it does not affect security. RFC 2104 notes,
9b3696c7ad70387ecd46e0f061b99d381dc392f9rbowen "Keys longer than [the digest length] are acceptable but the
9b3696c7ad70387ecd46e0f061b99d381dc392f9rbowen extra length would not significantly increase the function
bc36e90829b1ee123307a2339519265139a88173sf <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive<p><span class="corpauthor">Internet Systems Consortium</span>
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
1c47b0c72c991a6f0ad172c74df0936fe13d6fbfslive<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
4c36c711036219c80d5517d35be68a4769c15291slive<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
4c36c711036219c80d5517d35be68a4769c15291slive<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>