doc/arm/man.isc-hmac-fixup.html

	man.isc-hmac-fixup.html revision a17033f2c453688fde9719bced70b44553431759
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>isc-hmac-fixup</title>
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.genrandom.html" title="genrandom">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">Manual pages</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refentry" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<div class="refnamediv">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Name</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsynopsisdiv">
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<h2>Synopsis</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User</div>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2669226"></a><h2>DESCRIPTION</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      HMAC-SHA* TSIG keys which were longer than the digest length of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      longer than 256 bits, etc) to be used incorrectly, generating a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      message authentication code that was incompatible with other DNS
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      implementations.
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater    </p>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<p>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User      This bug has been fixed in BIND 9.7.  However, the fix may
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User      cause incompatibility between older and newer versions of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User      modifies those keys to restore compatibility.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      specify the key's algorithm and secret on the command line.  If the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      secret is longer than the digest length of the algorithm (64 bytes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      new secret will be generated consisting of a hash digest of the old
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      secret.  (If the secret did not require conversion, then it will be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      printed without modification.)
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User    </p>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2669254"></a><h2>SECURITY CONSIDERATIONS</h2>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<p>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User      are shortened, but as this is how the HMAC protocol works in
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User      operation anyway, it does not affect security.  RFC 2104 notes,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User      "Keys longer than [the digest length] are acceptable but the
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User      extra length would not significantly increase the function
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User      strength."
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<div class="refsect1" lang="en">
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<a name="id2669270"></a><h2>SEE ALSO</h2>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater      <em class="citetitle">RFC 2104</em>.
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater    </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews<div class="refsect1" lang="en">
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<a name="id2669287"></a><h2>AUTHOR</h2>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<p><span class="corpauthor">Internet Systems Consortium</span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="navfooter">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<hr>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<table width="100%" summary="Navigation footer">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<tr>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="40%" align="left">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</tr>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<tr>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="40%" align="left" valign="top">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<span class="application">genrandom</span>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User</td>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User</tr>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User</table>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User</div>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User</body>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User</html>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User