doc/arm/man.isc-hmac-fixup.html

	man.isc-hmac-fixup.html revision 6100dfd774ab9b4040b6f348ef1de01bc902ae07
0N/A<!--
2362N/A - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
0N/A - Copyright (C) 2000-2003 Internet Software Consortium.
0N/A -
0N/A - Permission to use, copy, modify, and/or distribute this software for any
0N/A - purpose with or without fee is hereby granted, provided that the above
2362N/A - copyright notice and this permission notice appear in all copies.
0N/A -
2362N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0N/A - PERFORMANCE OF THIS SOFTWARE.
0N/A-->
0N/A<!-- $Id: man.isc-hmac-fixup.html,v 1.43 2011/05/18 01:14:43 tbox Exp $ -->
0N/A<html>
0N/A<head>
0N/A<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2362N/A<title>isc-hmac-fixup</title>
2362N/A<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2362N/A<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0N/A<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0N/A<link rel="prev" href="man.genrandom.html" title="genrandom">
0N/A<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
0N/A</head>
0N/A<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0N/A<div class="navheader">
0N/A<table width="100%" summary="Navigation header">
0N/A<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
0N/A<tr>
0N/A<td width="20%" align="left">
0N/A<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
0N/A<th width="60%" align="center">Manual pages</th>
0N/A<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
0N/A</td>
0N/A</tr>
0N/A</table>
0N/A<hr>
0N/A</div>
0N/A<div class="refentry" lang="en">
0N/A<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
3172N/A<div class="refnamediv">
3172N/A<h2>Name</h2>
0N/A<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
0N/A</div>
0N/A<div class="refsynopsisdiv">
0N/A<h2>Synopsis</h2>
0N/A<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
3172N/A</div>
1884N/A<div class="refsect1" lang="en">
1884N/A<a name="id2615426"></a><h2>DESCRIPTION</h2>
0N/A<p>
0N/A      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
0N/A      HMAC-SHA* TSIG keys which were longer than the digest length of the
0N/A      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
0N/A      longer than 256 bits, etc) to be used incorrectly, generating a
0N/A      message authentication code that was incompatible with other DNS
0N/A      implementations.
0N/A    </p>
0N/A<p>
0N/A      This bug has been fixed in BIND 9.7.  However, the fix may
0N/A      cause incompatibility between older and newer versions of
0N/A      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
0N/A      modifies those keys to restore compatibility.
0N/A    </p>
0N/A<p>
0N/A      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
0N/A      specify the key's algorithm and secret on the command line.  If the
0N/A      secret is longer than the digest length of the algorithm (64 bytes
0N/A      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
0N/A      new secret will be generated consisting of a hash digest of the old
0N/A      secret.  (If the secret did not require conversion, then it will be
0N/A      printed without modification.)
0N/A    </p>
0N/A</div>
0N/A<div class="refsect1" lang="en">
0N/A<a name="id2655253"></a><h2>SECURITY CONSIDERATIONS</h2>
0N/A<p>
0N/A      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
0N/A      are shortened, but as this is how the HMAC protocol works in
0N/A      operation anyway, it does not affect security.  RFC 2104 notes,
0N/A      "Keys longer than [the digest length] are acceptable but the
0N/A      extra length would not significantly increase the function
0N/A      strength."
0N/A    </p>
0N/A</div>
0N/A<div class="refsect1" lang="en">
0N/A<a name="id2655269"></a><h2>SEE ALSO</h2>
0N/A<p>
0N/A      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
0N/A      <em class="citetitle">RFC 2104</em>.
0N/A    </p>
0N/A</div>
0N/A<div class="refsect1" lang="en">
0N/A<a name="id2655286"></a><h2>AUTHOR</h2>
0N/A<p><span class="corpauthor">Internet Systems Consortium</span>
0N/A    </p>
0N/A</div>
0N/A</div>
0N/A<div class="navfooter">
0N/A<hr>
0N/A<table width="100%" summary="Navigation footer">
0N/A<tr>
0N/A<td width="40%" align="left">
0N/A<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
0N/A<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
0N/A<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
0N/A</td>
0N/A</tr>
0N/A<tr>
0N/A<td width="40%" align="left" valign="top">
0N/A<span class="application">genrandom</span>�</td>
0N/A<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0N/A<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>
0N/A</td>
0N/A</tr>
0N/A</table>
0N/A</div>
0N/A</body>
0N/A</html>
0N/A