.\" Copyright (C) 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")

.\" 

.\" This Source Code Form is subject to the terms of the Mozilla Public

.\" License, v. 2.0. If a copy of the MPL was not distributed with this

.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.

.\"

.hy 0

.ad l

'\" t

.\"     Title: isc-hmac-fixup

.\"    Author: 

.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>

.\"      Date: 2013-04-28

.\"    Manual: BIND9

.\"    Source: ISC

.\"  Language: English

.\"

.TH "ISC\-HMAC\-FIXUP" "8" "2013\-04\-28" "ISC" "BIND9"

.\" -----------------------------------------------------------------

.\" * Define some portability stuff

.\" -----------------------------------------------------------------

.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.\" http://bugs.debian.org/507673

.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html

.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.ie \n(.g .ds Aq \(aq

.el       .ds Aq '

.\" -----------------------------------------------------------------

.\" * set default formatting

.\" -----------------------------------------------------------------

.\" disable hyphenation

.nh

.\" disable justification (adjust text to left margin only)

.ad l

.\" -----------------------------------------------------------------

.\" * MAIN CONTENT STARTS HERE *

.\" -----------------------------------------------------------------

.SH "NAME"

isc-hmac-fixup \- fixes HMAC keys generated by older versions of BIND

.SH "SYNOPSIS"

.HP \w'\fBisc\-hmac\-fixup\fR\ 'u

\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR}

.SH "DESCRIPTION"

.PP

Versions of BIND 9 up to and including BIND 9\&.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i\&.e\&., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations\&.

.PP

This bug was fixed in BIND 9\&.7\&. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys\&.

\fBisc\-hmac\-fixup\fR

modifies those keys to restore compatibility\&.

.PP

To modify a key, run

\fBisc\-hmac\-fixup\fR

and specify the key\*(Aqs algorithm and secret on the command line\&. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret\&. (If the secret did not require conversion, then it will be printed without modification\&.)

.SH "SECURITY CONSIDERATIONS"

.PP

Secrets that have been converted by

\fBisc\-hmac\-fixup\fR

are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security\&. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength\&."

.SH "SEE ALSO"

.PP

BIND 9 Administrator Reference Manual,

RFC 2104\&.

.SH "AUTHOR"

.PP

\fBInternet Systems Consortium, Inc\&.\fR

.SH "COPYRIGHT"

.br

Copyright \(co 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")

.br