doc/arm/man.isc-hmac-fixup.html

	man.isc-hmac-fixup.html revision ab3bdbd2ee61b06fa1dc4d3adbcff46cd808185a
5f5870385cff47efd2f58e7892f251cf13761528Timo Sirainen<!--
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - Copyright (C) 2000-2003 Internet Software Consortium.
96308127e006bb3b1108093bcf4cc1fd9481cb7aTimo Sirainen -
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - Permission to use, copy, modify, and/or distribute this software for any
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - purpose with or without fee is hereby granted, provided that the above
5ef7efd45b1adf3a09cf9c229cf0a3d3d54405a2Timo Sirainen - copyright notice and this permission notice appear in all copies.
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen -
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen - PERFORMANCE OF THIS SOFTWARE.
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen-->
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<!-- $Id$ -->
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<html>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<head>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<title>isc-hmac-fixup</title>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<link rel="prev" href="man.genrandom.html" title="genrandom">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</head>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<div class="navheader">
e54512a5189192fe72d1e2c53927c98c5ac920b4Timo Sirainen<table width="100%" summary="Navigation header">
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen<tr>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<td width="20%" align="left">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<th width="60%" align="center">Manual pages</th>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</td>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</tr>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</table>
d97860e16db095a14038d50efda1e4bb64375128Timo Sirainen<hr>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</div>
d97860e16db095a14038d50efda1e4bb64375128Timo Sirainen<div class="refentry" lang="en">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<div class="refnamediv">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<h2>Name</h2>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</div>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<div class="refsynopsisdiv">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<h2>Synopsis</h2>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</div>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<div class="refsect1" lang="en">
d22301419109ed4a38351715e6760011421dadecTimo Sirainen<a name="id2669911"></a><h2>DESCRIPTION</h2>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<p>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen      HMAC-SHA* TSIG keys which were longer than the digest length of the
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen      longer than 256 bits, etc) to be used incorrectly, generating a
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      message authentication code that was incompatible with other DNS
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen      implementations.
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen    </p>
8bb360f9e5de1c25e4f875205bb06e8bf15dae14Timo Sirainen<p>
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      This bug has been fixed in BIND 9.7.  However, the fix may
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      cause incompatibility between older and newer versions of
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      modifies those keys to restore compatibility.
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen    </p>
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen<p>
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
cd83124e5d070a016c590bb0b1096d7828c7b6adTimo Sirainen      specify the key's algorithm and secret on the command line.  If the
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      secret is longer than the digest length of the algorithm (64 bytes
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      new secret will be generated consisting of a hash digest of the old
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      secret.  (If the secret did not require conversion, then it will be
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen      printed without modification.)
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen    </p>
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen</div>
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen<div class="refsect1" lang="en">
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen<a name="id2669939"></a><h2>SECURITY CONSIDERATIONS</h2>
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen<p>
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen      are shortened, but as this is how the HMAC protocol works in
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen      operation anyway, it does not affect security.  RFC 2104 notes,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen      "Keys longer than [the digest length] are acceptable but the
e2eac5bb5637c2d4aaf453389750740931822b92Timo Sirainen      extra length would not significantly increase the function
e2eac5bb5637c2d4aaf453389750740931822b92Timo Sirainen      strength."
19e8adccba16ff419f5675b1575358c2956dce83Timo Sirainen    </p>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen</div>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen<div class="refsect1" lang="en">
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen<a name="id2669955"></a><h2>SEE ALSO</h2>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen<p>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen      <em class="citetitle">RFC 2104</em>.
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen    </p>
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen</div>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen<div class="refsect1" lang="en">
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen<a name="id2669972"></a><h2>AUTHOR</h2>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen<p><span class="corpauthor">Internet Systems Consortium</span>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen    </p>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen</div>
19e8adccba16ff419f5675b1575358c2956dce83Timo Sirainen</div>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen<div class="navfooter">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<hr>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<table width="100%" summary="Navigation footer">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<tr>
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen<td width="40%" align="left">
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen</td>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</tr>
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen<tr>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen<td width="40%" align="left" valign="top">
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen<span class="application">genrandom</span>�</td>
ad48319996942463675b53877092ab7e13a7a75aTimo Sirainen<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>
ad48319996942463675b53877092ab7e13a7a75aTimo Sirainen</td>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</tr>
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen</table>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</div>
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen</body>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen</html>
7631f16156aca373004953fe6b01a7f343fb47e0Timo Sirainen