|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
Packit |
5ce601 |
-
|
|
Packit |
5ce601 |
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
Packit |
5ce601 |
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
Packit Service |
704ed8 |
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
Packit |
5ce601 |
-
|
|
Packit |
5ce601 |
- See the COPYRIGHT file distributed with this work for additional
|
|
Packit |
5ce601 |
- information regarding copyright ownership.
|
|
Packit |
5ce601 |
-->
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
|
|
Packit Service |
d3afd5 |
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
|
|
Packit |
5ce601 |
<info>
|
|
Packit |
5ce601 |
<date>2013-04-28</date>
|
|
Packit |
5ce601 |
</info>
|
|
Packit |
5ce601 |
<refentryinfo>
|
|
Packit |
5ce601 |
<corpname>ISC</corpname>
|
|
Packit |
5ce601 |
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
|
|
Packit |
5ce601 |
</refentryinfo>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refmeta>
|
|
Packit |
5ce601 |
<refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
|
|
Packit |
5ce601 |
<manvolnum>8</manvolnum>
|
|
Packit Service |
d3afd5 |
<refmiscinfo>BIND9</refmiscinfo>
|
|
Packit |
5ce601 |
</refmeta>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refnamediv>
|
|
Packit |
5ce601 |
<refname><application>isc-hmac-fixup</application></refname>
|
|
Packit |
5ce601 |
<refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
|
|
Packit |
5ce601 |
</refnamediv>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<docinfo>
|
|
Packit |
5ce601 |
<copyright>
|
|
Packit |
5ce601 |
<year>2010</year>
|
|
Packit |
5ce601 |
<year>2013</year>
|
|
Packit |
5ce601 |
<year>2014</year>
|
|
Packit |
5ce601 |
<year>2015</year>
|
|
Packit |
5ce601 |
<year>2016</year>
|
|
Packit |
5ce601 |
<year>2017</year>
|
|
Packit |
5ce601 |
<year>2018</year>
|
|
Packit |
5ce601 |
<year>2019</year>
|
|
Packit |
5ce601 |
<year>2020</year>
|
|
Packit |
5ce601 |
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
|
Packit |
5ce601 |
</copyright>
|
|
Packit |
5ce601 |
</docinfo>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsynopsisdiv>
|
|
Packit |
5ce601 |
<cmdsynopsis sepchar=" ">
|
|
Packit |
5ce601 |
<command>isc-hmac-fixup</command>
|
|
Packit |
5ce601 |
<arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>
|
|
Packit |
5ce601 |
<arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg>
|
|
Packit |
5ce601 |
</cmdsynopsis>
|
|
Packit |
5ce601 |
</refsynopsisdiv>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>DESCRIPTION</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
|
|
Packit |
5ce601 |
HMAC-SHA* TSIG keys which were longer than the digest length of the
|
|
Packit |
5ce601 |
hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
|
|
Packit |
5ce601 |
longer than 256 bits, etc) to be used incorrectly, generating a
|
|
Packit |
5ce601 |
message authentication code that was incompatible with other DNS
|
|
Packit |
5ce601 |
implementations.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
This bug was fixed in BIND 9.7. However, the fix may
|
|
Packit |
5ce601 |
cause incompatibility between older and newer versions of
|
|
Packit |
5ce601 |
BIND, when using long keys. <command>isc-hmac-fixup</command>
|
|
Packit |
5ce601 |
modifies those keys to restore compatibility.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
To modify a key, run <command>isc-hmac-fixup</command> and
|
|
Packit |
5ce601 |
specify the key's algorithm and secret on the command line. If the
|
|
Packit |
5ce601 |
secret is longer than the digest length of the algorithm (64 bytes
|
|
Packit |
5ce601 |
for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
|
|
Packit |
5ce601 |
new secret will be generated consisting of a hash digest of the old
|
|
Packit |
5ce601 |
secret. (If the secret did not require conversion, then it will be
|
|
Packit |
5ce601 |
printed without modification.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>SECURITY CONSIDERATIONS</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Secrets that have been converted by <command>isc-hmac-fixup</command>
|
|
Packit |
5ce601 |
are shortened, but as this is how the HMAC protocol works in
|
|
Packit |
5ce601 |
operation anyway, it does not affect security. RFC 2104 notes,
|
|
Packit |
5ce601 |
"Keys longer than [the digest length] are acceptable but the
|
|
Packit |
5ce601 |
extra length would not significantly increase the function
|
|
Packit |
5ce601 |
strength."
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>SEE ALSO</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
|
|
Packit |
5ce601 |
<citetitle>RFC 2104</citetitle>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
</refentry>
|