man.isc-hmac-fixup.html 5.04 KB
Newer Older
1
<!--
Tinderbox User's avatar
Tinderbox User committed
2
 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
Automatic Updater's avatar
Automatic Updater committed
3 4
 - Copyright (C) 2000-2003 Internet Software Consortium.
 - 
5 6 7
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
Automatic Updater's avatar
Automatic Updater committed
8
 - 
9 10
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
Automatic Updater's avatar
Automatic Updater committed
11
 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 13 14 15 16 17 18 19 20
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>isc-hmac-fixup</title>
Evan Hunt's avatar
Evan Hunt committed
21 22
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
Tinderbox User's avatar
Tinderbox User committed
23
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
24
<link rel="prev" href="man.genrandom.html" title="genrandom">
Evan Hunt's avatar
Evan Hunt committed
25
<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
26 27 28 29 30 31 32 33 34
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
Evan Hunt's avatar
Evan Hunt committed
35
<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
36 37 38 39 40
</td>
</tr>
</table>
<hr>
</div>
Evan Hunt's avatar
Evan Hunt committed
41
<div class="refentry">
42
<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
Evan Hunt's avatar
Evan Hunt committed
43 44 45 46 47 48
  
  

  

  <div class="refnamediv">
49
<h2>Name</h2>
Evan Hunt's avatar
Evan Hunt committed
50 51 52 53
<p>
    <span class="application">isc-hmac-fixup</span>
     &#8212; fixes HMAC keys generated by older versions of BIND
  </p>
54
</div>
Evan Hunt's avatar
Evan Hunt committed
55 56 57 58

  

  <div class="refsynopsisdiv">
59
<h2>Synopsis</h2>
Evan Hunt's avatar
Evan Hunt committed
60 61 62 63 64 65 66 67 68 69 70
    <div class="cmdsynopsis"><p>
      <code class="command">isc-hmac-fixup</code> 
       {<em class="replaceable"><code>algorithm</code></em>}
       {<em class="replaceable"><code>secret</code></em>}
    </p></div>
  </div>

  <div class="refsection">
<a name="id-1.14.30.7"></a><h2>DESCRIPTION</h2>
    
    <p>
71 72 73 74 75 76 77
      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
      HMAC-SHA* TSIG keys which were longer than the digest length of the
      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
      longer than 256 bits, etc) to be used incorrectly, generating a
      message authentication code that was incompatible with other DNS
      implementations.
    </p>
Evan Hunt's avatar
Evan Hunt committed
78
    <p>
79 80
      This bug has been fixed in BIND 9.7.  However, the fix may
      cause incompatibility between older and newer versions of
Evan Hunt's avatar
Evan Hunt committed
81
      BIND, when using long keys.  <span class="command"><strong>isc-hmac-fixup</strong></span>
82 83
      modifies those keys to restore compatibility.
    </p>
Evan Hunt's avatar
Evan Hunt committed
84 85
    <p>
      To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
86 87 88 89 90 91 92
      specify the key's algorithm and secret on the command line.  If the
      secret is longer than the digest length of the algorithm (64 bytes
      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
      new secret will be generated consisting of a hash digest of the old
      secret.  (If the secret did not require conversion, then it will be
      printed without modification.)
    </p>
Evan Hunt's avatar
Evan Hunt committed
93 94 95 96 97 98 99
  </div>

  <div class="refsection">
<a name="id-1.14.30.8"></a><h2>SECURITY CONSIDERATIONS</h2>
    
    <p>
      Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
100 101 102 103 104 105
      are shortened, but as this is how the HMAC protocol works in
      operation anyway, it does not affect security.  RFC 2104 notes,
      "Keys longer than [the digest length] are acceptable but the
      extra length would not significantly increase the function
      strength."
    </p>
Evan Hunt's avatar
Evan Hunt committed
106 107 108 109 110 111
  </div>

  <div class="refsection">
<a name="id-1.14.30.9"></a><h2>SEE ALSO</h2>
    
    <p>
112 113 114
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 2104</em>.
    </p>
Evan Hunt's avatar
Evan Hunt committed
115 116
  </div>

117 118 119 120 121 122 123
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
Tinderbox User's avatar
Tinderbox User committed
124
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
Evan Hunt's avatar
Evan Hunt committed
125
<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
126 127 128 129 130 131
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">genrandom</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
Evan Hunt's avatar
Evan Hunt committed
132
<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
133 134 135 136
</td>
</tr>
</table>
</div>
Evan Hunt's avatar
Evan Hunt committed
137
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
138 139
</body>
</html>