man.isc-hmac-fixup.html 4.47 KB
Newer Older
1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
Automatic Updater's avatar
Automatic Updater committed
4
 - 
Tinderbox User's avatar
Tinderbox User committed
5 6 7
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
8
-->
9
<html lang="en">
10 11 12
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>isc-hmac-fixup</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Evan Hunt's avatar
Evan Hunt committed
14
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
Tinderbox User's avatar
Tinderbox User committed
15
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
16
<link rel="prev" href="man.genrandom.html" title="genrandom">
Evan Hunt's avatar
Evan Hunt committed
17
<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
18 19 20 21 22 23 24 25 26
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a></td>
<th width="60%" align="center">Manual pages</th>
Evan Hunt's avatar
Evan Hunt committed
27
<td width="20%" align="right"><a accesskey="n" href="man.nsec3hash.html">Next</a>
28 29 30 31 32
</td>
</tr>
</table>
<hr>
</div>
Tinderbox User's avatar
Tinderbox User committed
33
<div class="refentry">
34
<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
35
<div class="refnamediv">
36
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
37
<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
38
</div>
Tinderbox User's avatar
Tinderbox User committed
39
<div class="refsynopsisdiv">
40
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
41 42 43
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
44
<a name="id-1.14.34.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
45
<p>
46 47 48 49 50 51 52
      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
      HMAC-SHA* TSIG keys which were longer than the digest length of the
      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
      longer than 256 bits, etc) to be used incorrectly, generating a
      message authentication code that was incompatible with other DNS
      implementations.
    </p>
Tinderbox User's avatar
Tinderbox User committed
53
<p>
54 55
      This bug has been fixed in BIND 9.7.  However, the fix may
      cause incompatibility between older and newer versions of
Evan Hunt's avatar
Evan Hunt committed
56
      BIND, when using long keys.  <span class="command"><strong>isc-hmac-fixup</strong></span>
57 58
      modifies those keys to restore compatibility.
    </p>
Tinderbox User's avatar
Tinderbox User committed
59
<p>
Evan Hunt's avatar
Evan Hunt committed
60
      To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
61 62 63 64 65 66 67
      specify the key's algorithm and secret on the command line.  If the
      secret is longer than the digest length of the algorithm (64 bytes
      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
      new secret will be generated consisting of a hash digest of the old
      secret.  (If the secret did not require conversion, then it will be
      printed without modification.)
    </p>
Tinderbox User's avatar
Tinderbox User committed
68 69
</div>
<div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
70
<a name="id-1.14.34.8"></a><h2>SECURITY CONSIDERATIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
71
<p>
Evan Hunt's avatar
Evan Hunt committed
72
      Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
73 74 75 76 77 78
      are shortened, but as this is how the HMAC protocol works in
      operation anyway, it does not affect security.  RFC 2104 notes,
      "Keys longer than [the digest length] are acceptable but the
      extra length would not significantly increase the function
      strength."
    </p>
Tinderbox User's avatar
Tinderbox User committed
79 80
</div>
<div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
81
<a name="id-1.14.34.9"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
82
<p>
83 84 85
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 2104</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
86
</div>
87 88 89 90 91 92 93
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a></td>
Tinderbox User's avatar
Tinderbox User committed
94
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
Evan Hunt's avatar
Evan Hunt committed
95
<td width="40%" align="right"><a accesskey="n" href="man.nsec3hash.html">Next</a>
96 97 98 99 100 101
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">genrandom</span></td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
Evan Hunt's avatar
Evan Hunt committed
102
<td width="40%" align="right" valign="top"><span class="application">nsec3hash</span>
103 104 105 106
</td>
</tr>
</table>
</div>
Mark Andrews's avatar
Mark Andrews committed
107
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0</p>
108 109
</body>
</html>