man.isc-hmac-fixup.html revision 7e71f05d8643aca84914437c900cb716444507e4
28c4fe67d75f8f26504d75b7aa8dc5d868032888wrowe - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - This Source Code Form is subject to the terms of the Mozilla Public
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - License, v. 2.0. If a copy of the MPL was not distributed with this
8163c8f6e2a9a8e4aba318d874c54a3155d57e21jerenkrantz - file, You can obtain one at http://mozilla.org/MPL/2.0/.
c25203fdca093d4504c51b4cd974ff60d5aa4fb1wrowe<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d89c116f82699294ca744125723651c554bc5925wrowe<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
4214e98fc9045e5010e66f9a967bd6d68f40d342aaron<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8721697e2aece27b0e738519329f7976c72b27bfjerenkrantz<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
c25203fdca093d4504c51b4cd974ff60d5aa4fb1wrowe<link rel="prev" href="man.genrandom.html" title="genrandom">
91cacb801f6c0215b38322f6d2fc58cbfedfecfbjerenkrantz<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
df14f0d3a5191cdd7c4bb5b03acd135d43a6f51brbb<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
571760de5e60c0b459cb11be45507b923cd023eejwoolley<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
bcb6e1be6041dfeb549c8ea8d37f97ad4e90a0c3rbb<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
2900ab946a2d76b73a14cebfe2985d253f01c967stoddard<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
6f6f4a4bca281779d196acbdd5c017bb90858305trawick<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
2deb319e6b3de239f45c16a3e9e836d44f1f7108rbb<p><span class="application">isc-hmac-fixup</span> — fixes HMAC keys generated by older versions of BIND</p>
af4c982a7cf4515f124935f99a329744035fc699slive<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
af4c982a7cf4515f124935f99a329744035fc699slive Versions of BIND 9 up to and including BIND 9.6 had a bug causing
af4c982a7cf4515f124935f99a329744035fc699slive HMAC-SHA* TSIG keys which were longer than the digest length of the
10270f6f94b2069d0d357805c140a9897449b9ccianh hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
4b62424416882687387923b3130b96241503cbe0jerenkrantz longer than 256 bits, etc) to be used incorrectly, generating a
5ca8e11fadb6f7a8d9d0367c1800205c99d4bcd6jerenkrantz message authentication code that was incompatible with other DNS
363e9e52888cd7d75325b1ab90ac928f32d5af44jwoolley implementations.
5ca8e11fadb6f7a8d9d0367c1800205c99d4bcd6jerenkrantz This bug has been fixed in BIND 9.7. However, the fix may
45b0e1c775c1cfed6473c9e5304179ccb9609f53stoddard cause incompatibility between older and newer versions of
dbec4658981e4f9127e8676457c28d42932be7cdtrawick BIND, when using long keys. <span class="command"><strong>isc-hmac-fixup</strong></span>
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolley modifies those keys to restore compatibility.
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolley To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolley specify the key's algorithm and secret on the command line. If the
d415c14da6d37345738e160f785dbe8458095068jwoolley secret is longer than the digest length of the algorithm (64 bytes
d415c14da6d37345738e160f785dbe8458095068jwoolley for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolley new secret will be generated consisting of a hash digest of the old
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolley secret. (If the secret did not require conversion, then it will be
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolley printed without modification.)
d415c14da6d37345738e160f785dbe8458095068jwoolley<a name="id-1.14.34.8"></a><h2>SECURITY CONSIDERATIONS</h2>
d415c14da6d37345738e160f785dbe8458095068jwoolley Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
d415c14da6d37345738e160f785dbe8458095068jwoolley are shortened, but as this is how the HMAC protocol works in
d415c14da6d37345738e160f785dbe8458095068jwoolley operation anyway, it does not affect security. RFC 2104 notes,
d415c14da6d37345738e160f785dbe8458095068jwoolley "Keys longer than [the digest length] are acceptable but the
d415c14da6d37345738e160f785dbe8458095068jwoolley extra length would not significantly increase the function
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantz <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantz<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
2fb49a1d25f38421a68d31b4cbb5d9293fdeafbewrowe<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantz<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantz<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantz<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>
2fb49a1d25f38421a68d31b4cbb5d9293fdeafbewrowe<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0rc1</p>