man.isc-hmac-fixup.html revision 97e74139b19368e385a3564746d42db70879195e
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - copyright notice and this permission notice appear in all copies.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - PERFORMANCE OF THIS SOFTWARE.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!-- $Id: man.isc-hmac-fixup.html,v 1.66 2011/12/22 18:10:10 tbox Exp $ -->
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="prev" href="man.genrandom.html" title="genrandom">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation header">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<th width="60%" align="center">Manual pages</th>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span class="application">isc-hmac-fixup</span> — fixes HMAC keys generated by older versions of BIND</p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User Versions of BIND 9 up to and including BIND 9.6 had a bug causing
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User HMAC-SHA* TSIG keys which were longer than the digest length of the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User longer than 256 bits, etc) to be used incorrectly, generating a
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User message authentication code that was incompatible with other DNS
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User implementations.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This bug has been fixed in BIND 9.7. However, the fix may
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews cause incompatibility between older and newer versions of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews modifies those keys to restore compatibility.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews specify the key's algorithm and secret on the command line. If the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews secret is longer than the digest length of the algorithm (64 bytes
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User new secret will be generated consisting of a hash digest of the old
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User secret. (If the secret did not require conversion, then it will be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User printed without modification.)
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<a name="id2618426"></a><h2>SECURITY CONSIDERATIONS</h2>
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User are shortened, but as this is how the HMAC protocol works in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews operation anyway, it does not affect security. RFC 2104 notes,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User "Keys longer than [the digest length] are acceptable but the
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User extra length would not significantly increase the function
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="corpauthor">Internet Systems Consortium</span>
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<table width="100%" summary="Navigation footer">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<span class="application">genrandom</span>�</td>
d3ddafd7469d1f3430ccd1b0fe0d13ccbbaf5debTinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>