man.isc-hmac-fixup.html revision ed38240f42ff9bc19d95669a2a4743b9ff7e7a64
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - Permission to use, copy, modify, and/or distribute this software for any
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - purpose with or without fee is hereby granted, provided that the above
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<!-- $Id$ -->
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<link rel="prev" href="man.genrandom.html" title="genrandom">
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
9c4f33b6718407e94d50dbfb4977e16d3f83de9dDavid Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
d1dc805692ff816e28849396577affa9b4890e41Andreas Gustafsson<th width="60%" align="center">Manual pages</th>
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<p><span class="application">isc-hmac-fixup</span> — fixes HMAC keys generated by older versions of BIND</p>
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
b2a6ebf1bd4dad1410afba9012a61d87090f03adDamien Neil Versions of BIND 9 up to and including BIND 9.6 had a bug causing
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil HMAC-SHA* TSIG keys which were longer than the digest length of the
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein longer than 256 bits, etc) to be used incorrectly, generating a
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein message authentication code that was incompatible with other DNS
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil implementations.
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington This bug has been fixed in BIND 9.7. However, the fix may
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington cause incompatibility between older and newer versions of
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil modifies those keys to restore compatibility.
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff specify the key's algorithm and secret on the command line. If the
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff secret is longer than the digest length of the algorithm (64 bytes
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff new secret will be generated consisting of a hash digest of the old
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley secret. (If the secret did not require conversion, then it will be
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson printed without modification.)
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<a name="id2669524"></a><h2>SECURITY CONSIDERATIONS</h2>
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil are shortened, but as this is how the HMAC protocol works in
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington operation anyway, it does not affect security. RFC 2104 notes,
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley "Keys longer than [the digest length] are acceptable but the
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley extra length would not significantly increase the function
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<p><span class="corpauthor">Internet Systems Consortium</span>
e4b9761b0ef03597c35d1ef1d86e12514c621f90Michael Graff<table width="100%" summary="Navigation footer">
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<p style="text-align: center;">BIND 9.11.0pre-alpha</p>