104 lines
3.6 KiB
Plaintext
104 lines
3.6 KiB
Plaintext
<!--
|
|
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
-
|
|
- See the COPYRIGHT file distributed with this work for additional
|
|
- information regarding copyright ownership.
|
|
-->
|
|
|
|
<!-- Converted by db4-upgrade version 1.0 -->
|
|
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
|
|
<info>
|
|
<date>2013-04-28</date>
|
|
</info>
|
|
<refentryinfo>
|
|
<corpname>ISC</corpname>
|
|
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
|
|
<manvolnum>8</manvolnum>
|
|
<refmiscinfo>BIND9</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname><application>isc-hmac-fixup</application></refname>
|
|
<refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
|
|
</refnamediv>
|
|
|
|
<docinfo>
|
|
<copyright>
|
|
<year>2010</year>
|
|
<year>2013</year>
|
|
<year>2014</year>
|
|
<year>2015</year>
|
|
<year>2016</year>
|
|
<year>2017</year>
|
|
<year>2018</year>
|
|
<year>2019</year>
|
|
<year>2020</year>
|
|
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
|
</copyright>
|
|
</docinfo>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis sepchar=" ">
|
|
<command>isc-hmac-fixup</command>
|
|
<arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>
|
|
<arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsection><info><title>DESCRIPTION</title></info>
|
|
|
|
<para>
|
|
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
|
|
HMAC-SHA* TSIG keys which were longer than the digest length of the
|
|
hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
|
|
longer than 256 bits, etc) to be used incorrectly, generating a
|
|
message authentication code that was incompatible with other DNS
|
|
implementations.
|
|
</para>
|
|
<para>
|
|
This bug was fixed in BIND 9.7. However, the fix may
|
|
cause incompatibility between older and newer versions of
|
|
BIND, when using long keys. <command>isc-hmac-fixup</command>
|
|
modifies those keys to restore compatibility.
|
|
</para>
|
|
<para>
|
|
To modify a key, run <command>isc-hmac-fixup</command> and
|
|
specify the key's algorithm and secret on the command line. If the
|
|
secret is longer than the digest length of the algorithm (64 bytes
|
|
for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
|
|
new secret will be generated consisting of a hash digest of the old
|
|
secret. (If the secret did not require conversion, then it will be
|
|
printed without modification.)
|
|
</para>
|
|
</refsection>
|
|
|
|
<refsection><info><title>SECURITY CONSIDERATIONS</title></info>
|
|
|
|
<para>
|
|
Secrets that have been converted by <command>isc-hmac-fixup</command>
|
|
are shortened, but as this is how the HMAC protocol works in
|
|
operation anyway, it does not affect security. RFC 2104 notes,
|
|
"Keys longer than [the digest length] are acceptable but the
|
|
extra length would not significantly increase the function
|
|
strength."
|
|
</para>
|
|
</refsection>
|
|
|
|
<refsection><info><title>SEE ALSO</title></info>
|
|
|
|
<para>
|
|
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
|
|
<citetitle>RFC 2104</citetitle>.
|
|
</para>
|
|
</refsection>
|
|
|
|
</refentry>
|