doc/arm/man.isc-hmac-fixup.html

	man.isc-hmac-fixup.html revision 66f25f2ceeb589e67efe7af2413baaa3426b0042
2728d0618e15ee3a2ecc5f6d15acd7898e6de85aTinderbox User<!--
7e09576b7739de29ade3fc4d11daa1836d300459Tinderbox User - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
7e09576b7739de29ade3fc4d11daa1836d300459Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
7e09576b7739de29ade3fc4d11daa1836d300459Tinderbox User -
7e09576b7739de29ade3fc4d11daa1836d300459Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt - purpose with or without fee is hereby granted, provided that the above
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews - copyright notice and this permission notice appear in all copies.
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews -
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews-->
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews<!-- $Id: man.isc-hmac-fixup.html,v 1.26 2010/12/26 01:14:08 tbox Exp $ -->
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews<html>
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews<head>
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews<title>isc-hmac-fixup</title>
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<link rel="prev" href="man.genrandom.html" title="genrandom">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt</head>
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<div class="navheader">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<table width="100%" summary="Navigation header">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews<tr>
f5c17a057fc5974bb51d7bc8c5827a7fd6dc9aeeEvan Hunt<td width="20%" align="left">
f5c17a057fc5974bb51d7bc8c5827a7fd6dc9aeeEvan Hunt<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrews<th width="60%" align="center">Manual pages</th>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt</td>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt</tr>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt</table>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<hr>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt</div>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<div class="refentry" lang="en">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<div class="refnamediv">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<h2>Name</h2>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt</div>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<div class="refsynopsisdiv">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<h2>Synopsis</h2>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt</div>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<div class="refsect1" lang="en">
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<a name="id2616929"></a><h2>DESCRIPTION</h2>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<p>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      HMAC-SHA* TSIG keys which were longer than the digest length of the
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      longer than 256 bits, etc) to be used incorrectly, generating a
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      message authentication code that was incompatible with other DNS
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      implementations.
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt    </p>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<p>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      This bug has been fixed in BIND 9.7.  However, the fix may
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      cause incompatibility between older and newer versions of
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      modifies those keys to restore compatibility.
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt    </p>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt<p>
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      specify the key's algorithm and secret on the command line.  If the
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      secret is longer than the digest length of the algorithm (64 bytes
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      new secret will be generated consisting of a hash digest of the old
11435e83c66b7587b285187c2ed0c7de59992e6dEvan Hunt      secret.  (If the secret did not require conversion, then it will be
      printed without modification.)
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2651499"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
      are shortened, but as this is how the HMAC protocol works in
      operation anyway, it does not affect security.  RFC 2104 notes,
      "Keys longer than [the digest length] are acceptable but the
      extra length would not significantly increase the function
      strength."
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2651515"></a><h2>SEE ALSO</h2>
<p>
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 2104</em>.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2651532"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">genrandom</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>
</td>
</tr>
</table>
</div>
</body>
</html>