man.isc-hmac-fixup.html revision 6bcac4b58d16ee91184a72bd4ff05c41538fd932
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence - Permission to use, copy, modify, and/or distribute this software for any
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence - purpose with or without fee is hereby granted, provided that the above
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - copyright notice and this permission notice appear in all copies.
15a44745412679c30a6d022733925af70a38b715David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
15a44745412679c30a6d022733925af70a38b715David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
15a44745412679c30a6d022733925af70a38b715David Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15a44745412679c30a6d022733925af70a38b715David Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15a44745412679c30a6d022733925af70a38b715David Lawrence - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15a44745412679c30a6d022733925af70a38b715David Lawrence - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15a44745412679c30a6d022733925af70a38b715David Lawrence - PERFORMANCE OF THIS SOFTWARE.
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<link rel="prev" href="man.genrandom.html" title="genrandom">
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<p><span class="application">isc-hmac-fixup</span> — fixes HMAC keys generated by older versions of BIND</p>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer Versions of BIND 9 up to and including BIND 9.6 had a bug causing
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer HMAC-SHA* TSIG keys which were longer than the digest length of the
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer longer than 256 bits, etc) to be used incorrectly, generating a
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer message authentication code that was incompatible with other DNS
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer implementations.
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer This bug has been fixed in BIND 9.7. However, the fix may
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer cause incompatibility between older and newer versions of
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer modifies those keys to restore compatibility.
68c2ccc953059f389cefc0f8a5ce0f83be7458c9Danny Mayer To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer specify the key's algorithm and secret on the command line. If the
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer secret is longer than the digest length of the algorithm (64 bytes
68c2ccc953059f389cefc0f8a5ce0f83be7458c9Danny Mayer for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer new secret will be generated consisting of a hash digest of the old
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer secret. (If the secret did not require conversion, then it will be
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer printed without modification.)
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<a name="id2623342"></a><h2>SECURITY CONSIDERATIONS</h2>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
e76d4c91bfadf823f04dcca1c1c5bcc14c67671dAndreas Gustafsson are shortened, but as this is how the HMAC protocol works in
e76d4c91bfadf823f04dcca1c1c5bcc14c67671dAndreas Gustafsson operation anyway, it does not affect security. RFC 2104 notes,
68c2ccc953059f389cefc0f8a5ce0f83be7458c9Danny Mayer "Keys longer than [the digest length] are acceptable but the
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer extra length would not significantly increase the function
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<p><span class="corpauthor">Internet Systems Consortium</span>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
e35c1bb3ecd9a6597360b9160b397c8053af69bfDanny Mayer<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>