man.isc-hmac-fixup.html 4.37 KB
Newer Older
1
<!--
Tinderbox User's avatar
Tinderbox User committed
2
 - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
Automatic Updater's avatar
Automatic Updater committed
3
 - 
Tinderbox User's avatar
Tinderbox User committed
4 5 6
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 8 9 10 11
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>isc-hmac-fixup</title>
Tinderbox User's avatar
Tinderbox User committed
12
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Evan Hunt's avatar
Evan Hunt committed
13
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
Tinderbox User's avatar
Tinderbox User committed
14
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
15
<link rel="prev" href="man.genrandom.html" title="genrandom">
Evan Hunt's avatar
Evan Hunt committed
16
<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
17 18 19 20 21 22 23 24 25
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a></td>
<th width="60%" align="center">Manual pages</th>
Evan Hunt's avatar
Evan Hunt committed
26
<td width="20%" align="right"><a accesskey="n" href="man.nsec3hash.html">Next</a>
27 28 29 30 31
</td>
</tr>
</table>
<hr>
</div>
Tinderbox User's avatar
Tinderbox User committed
32
<div class="refentry">
33
<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
34
<div class="refnamediv">
35
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
36
<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
37
</div>
Tinderbox User's avatar
Tinderbox User committed
38
<div class="refsynopsisdiv">
39
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
40 41 42 43 44
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsection">
<a name="id-1.14.30.7"></a><h2>DESCRIPTION</h2>
<p>
45 46 47 48 49 50 51
      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
      HMAC-SHA* TSIG keys which were longer than the digest length of the
      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
      longer than 256 bits, etc) to be used incorrectly, generating a
      message authentication code that was incompatible with other DNS
      implementations.
    </p>
Tinderbox User's avatar
Tinderbox User committed
52
<p>
53 54
      This bug has been fixed in BIND 9.7.  However, the fix may
      cause incompatibility between older and newer versions of
Evan Hunt's avatar
Evan Hunt committed
55
      BIND, when using long keys.  <span class="command"><strong>isc-hmac-fixup</strong></span>
56 57
      modifies those keys to restore compatibility.
    </p>
Tinderbox User's avatar
Tinderbox User committed
58
<p>
Evan Hunt's avatar
Evan Hunt committed
59
      To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
60 61 62 63 64 65 66
      specify the key's algorithm and secret on the command line.  If the
      secret is longer than the digest length of the algorithm (64 bytes
      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
      new secret will be generated consisting of a hash digest of the old
      secret.  (If the secret did not require conversion, then it will be
      printed without modification.)
    </p>
Tinderbox User's avatar
Tinderbox User committed
67 68 69 70
</div>
<div class="refsection">
<a name="id-1.14.30.8"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Evan Hunt's avatar
Evan Hunt committed
71
      Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
72 73 74 75 76 77
      are shortened, but as this is how the HMAC protocol works in
      operation anyway, it does not affect security.  RFC 2104 notes,
      "Keys longer than [the digest length] are acceptable but the
      extra length would not significantly increase the function
      strength."
    </p>
Tinderbox User's avatar
Tinderbox User committed
78 79 80 81
</div>
<div class="refsection">
<a name="id-1.14.30.9"></a><h2>SEE ALSO</h2>
<p>
82 83 84
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 2104</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
85
</div>
86 87 88 89 90 91 92
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a></td>
Tinderbox User's avatar
Tinderbox User committed
93
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
Evan Hunt's avatar
Evan Hunt committed
94
<td width="40%" align="right"><a accesskey="n" href="man.nsec3hash.html">Next</a>
95 96 97 98 99 100
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">genrandom</span></td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
Evan Hunt's avatar
Evan Hunt committed
101
<td width="40%" align="right" valign="top"><span class="application">nsec3hash</span>
102 103 104 105
</td>
</tr>
</table>
</div>
Mark Andrews's avatar
Mark Andrews committed
106
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0b2</p>
107 108
</body>
</html>