|
Packit Service |
ae04f2 |
.\" Copyright (C) 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
|
|
Packit Service |
ae04f2 |
.\"
|
|
Packit Service |
ae04f2 |
.\" This Source Code Form is subject to the terms of the Mozilla Public
|
|
Packit Service |
ae04f2 |
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
Packit Service |
ae04f2 |
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
Packit Service |
ae04f2 |
.\"
|
|
Packit Service |
ae04f2 |
.hy 0
|
|
Packit Service |
ae04f2 |
.ad l
|
|
Packit Service |
ae04f2 |
'\" t
|
|
Packit Service |
ae04f2 |
.\" Title: isc-hmac-fixup
|
|
Packit Service |
ae04f2 |
.\" Author:
|
|
Packit Service |
ae04f2 |
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
|
Packit Service |
ae04f2 |
.\" Date: 2013-04-28
|
|
Packit Service |
ae04f2 |
.\" Manual: BIND9
|
|
Packit Service |
ae04f2 |
.\" Source: ISC
|
|
Packit Service |
ae04f2 |
.\" Language: English
|
|
Packit Service |
ae04f2 |
.\"
|
|
Packit Service |
ae04f2 |
.TH "ISC\-HMAC\-FIXUP" "8" "2013\-04\-28" "ISC" "BIND9"
|
|
Packit Service |
ae04f2 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
ae04f2 |
.\" * Define some portability stuff
|
|
Packit Service |
ae04f2 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
ae04f2 |
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit Service |
ae04f2 |
.\" http://bugs.debian.org/507673
|
|
Packit Service |
ae04f2 |
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
|
|
Packit Service |
ae04f2 |
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit Service |
ae04f2 |
.ie \n(.g .ds Aq \(aq
|
|
Packit Service |
ae04f2 |
.el .ds Aq '
|
|
Packit Service |
ae04f2 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
ae04f2 |
.\" * set default formatting
|
|
Packit Service |
ae04f2 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
ae04f2 |
.\" disable hyphenation
|
|
Packit Service |
ae04f2 |
.nh
|
|
Packit Service |
ae04f2 |
.\" disable justification (adjust text to left margin only)
|
|
Packit Service |
ae04f2 |
.ad l
|
|
Packit Service |
ae04f2 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
ae04f2 |
.\" * MAIN CONTENT STARTS HERE *
|
|
Packit Service |
ae04f2 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
ae04f2 |
.SH "NAME"
|
|
Packit Service |
ae04f2 |
isc-hmac-fixup \- fixes HMAC keys generated by older versions of BIND
|
|
Packit Service |
ae04f2 |
.SH "SYNOPSIS"
|
|
Packit Service |
ae04f2 |
.HP \w'\fBisc\-hmac\-fixup\fR\ 'u
|
|
Packit Service |
ae04f2 |
\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR}
|
|
Packit Service |
ae04f2 |
.SH "DESCRIPTION"
|
|
Packit Service |
ae04f2 |
.PP
|
|
Packit Service |
ae04f2 |
Versions of BIND 9 up to and including BIND 9\&.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i\&.e\&., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations\&.
|
|
Packit Service |
ae04f2 |
.PP
|
|
Packit Service |
ae04f2 |
This bug was fixed in BIND 9\&.7\&. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys\&.
|
|
Packit Service |
ae04f2 |
\fBisc\-hmac\-fixup\fR
|
|
Packit Service |
ae04f2 |
modifies those keys to restore compatibility\&.
|
|
Packit Service |
ae04f2 |
.PP
|
|
Packit Service |
ae04f2 |
To modify a key, run
|
|
Packit Service |
ae04f2 |
\fBisc\-hmac\-fixup\fR
|
|
Packit Service |
ae04f2 |
and specify the key\*(Aqs algorithm and secret on the command line\&. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret\&. (If the secret did not require conversion, then it will be printed without modification\&.)
|
|
Packit Service |
ae04f2 |
.SH "SECURITY CONSIDERATIONS"
|
|
Packit Service |
ae04f2 |
.PP
|
|
Packit Service |
ae04f2 |
Secrets that have been converted by
|
|
Packit Service |
ae04f2 |
\fBisc\-hmac\-fixup\fR
|
|
Packit Service |
ae04f2 |
are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security\&. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength\&."
|
|
Packit Service |
ae04f2 |
.SH "SEE ALSO"
|
|
Packit Service |
ae04f2 |
.PP
|
|
Packit Service |
ae04f2 |
BIND 9 Administrator Reference Manual,
|
|
Packit Service |
ae04f2 |
RFC 2104\&.
|
|
Packit Service |
ae04f2 |
.SH "AUTHOR"
|
|
Packit Service |
ae04f2 |
.PP
|
|
Packit Service |
ae04f2 |
\fBInternet Systems Consortium, Inc\&.\fR
|
|
Packit Service |
ae04f2 |
.SH "COPYRIGHT"
|
|
Packit Service |
ae04f2 |
.br
|
|
Packit Service |
ae04f2 |
Copyright \(co 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
|
|
Packit Service |
ae04f2 |
.br
|