93 lines
3.2 KiB
HTML
93 lines
3.2 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
|
<!--
|
|
- Copyright (C) 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
-->
|
|
<html lang="en">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
<title>isc-hmac-fixup</title>
|
|
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
|
</head>
|
|
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
|
|
<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
|
|
|
|
|
|
|
|
|
|
|
|
<div class="refnamediv">
|
|
<h2>Name</h2>
|
|
<p>
|
|
<span class="application">isc-hmac-fixup</span>
|
|
— fixes HMAC keys generated by older versions of BIND
|
|
</p>
|
|
</div>
|
|
|
|
|
|
|
|
<div class="refsynopsisdiv">
|
|
<h2>Synopsis</h2>
|
|
<div class="cmdsynopsis"><p>
|
|
<code class="command">isc-hmac-fixup</code>
|
|
{<em class="replaceable"><code>algorithm</code></em>}
|
|
{<em class="replaceable"><code>secret</code></em>}
|
|
</p></div>
|
|
</div>
|
|
|
|
<div class="refsection">
|
|
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
|
|
|
|
<p>
|
|
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
|
|
HMAC-SHA* TSIG keys which were longer than the digest length of the
|
|
hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
|
|
longer than 256 bits, etc) to be used incorrectly, generating a
|
|
message authentication code that was incompatible with other DNS
|
|
implementations.
|
|
</p>
|
|
<p>
|
|
This bug was fixed in BIND 9.7. However, the fix may
|
|
cause incompatibility between older and newer versions of
|
|
BIND, when using long keys. <span class="command"><strong>isc-hmac-fixup</strong></span>
|
|
modifies those keys to restore compatibility.
|
|
</p>
|
|
<p>
|
|
To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
|
|
specify the key's algorithm and secret on the command line. If the
|
|
secret is longer than the digest length of the algorithm (64 bytes
|
|
for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
|
|
new secret will be generated consisting of a hash digest of the old
|
|
secret. (If the secret did not require conversion, then it will be
|
|
printed without modification.)
|
|
</p>
|
|
</div>
|
|
|
|
<div class="refsection">
|
|
<a name="id-1.8"></a><h2>SECURITY CONSIDERATIONS</h2>
|
|
|
|
<p>
|
|
Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
|
|
are shortened, but as this is how the HMAC protocol works in
|
|
operation anyway, it does not affect security. RFC 2104 notes,
|
|
"Keys longer than [the digest length] are acceptable but the
|
|
extra length would not significantly increase the function
|
|
strength."
|
|
</p>
|
|
</div>
|
|
|
|
<div class="refsection">
|
|
<a name="id-1.9"></a><h2>SEE ALSO</h2>
|
|
|
|
<p>
|
|
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
|
<em class="citetitle">RFC 2104</em>.
|
|
</p>
|
|
</div>
|
|
|
|
</div></body>
|
|
</html>
|