/contrib/bind9/bin/tools/isc-hmac-fixup.docbook
https://bitbucket.org/freebsd/freebsd-head/ · Unknown · 109 lines · 99 code · 10 blank · 0 comment · 0 complexity · 11bb28fda9838e26365f8607bee26aa0 MD5 · raw file
- <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
- [<!ENTITY mdash "—">]>
- <!--
- - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
- -->
- <!-- $Id: isc-hmac-fixup.docbook,v 1.2 2010/01/07 21:52:11 each Exp $ -->
- <refentry id="man.isc-hmac-fixup">
- <refentryinfo>
- <date>January 5, 2010</date>
- </refentryinfo>
- <refmeta>
- <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
- <manvolnum>1</manvolnum>
- <refmiscinfo>BIND9</refmiscinfo>
- </refmeta>
- <refnamediv>
- <refname><application>isc-hmac-fixup</application></refname>
- <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
- </refnamediv>
- <docinfo>
- <copyright>
- <year>2010</year>
- <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
- </copyright>
- </docinfo>
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>isc-hmac-fixup</command>
- <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
- <arg choice="req"><replaceable class="parameter">secret</replaceable></arg>
- </cmdsynopsis>
- </refsynopsisdiv>
- <refsect1>
- <title>DESCRIPTION</title>
- <para>
- Versions of BIND 9 up to and including BIND 9.6 had a bug causing
- HMAC-SHA* TSIG keys which were longer than the digest length of the
- hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
- longer than 256 bits, etc) to be used incorrectly, generating a
- message authentication code that was incompatible with other DNS
- implementations.
- </para>
- <para>
- This bug has been fixed in BIND 9.7. However, the fix may
- cause incompatibility between older and newer versions of
- BIND, when using long keys. <command>isc-hmac-fixup</command>
- modifies those keys to restore compatibility.
- </para>
- <para>
- To modify a key, run <command>isc-hmac-fixup</command> and
- specify the key's algorithm and secret on the command line. If the
- secret is longer than the digest length of the algorithm (64 bytes
- for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
- new secret will be generated consisting of a hash digest of the old
- secret. (If the secret did not require conversion, then it will be
- printed without modification.)
- </para>
- </refsect1>
- <refsect1>
- <title>SECURITY CONSIDERATIONS</title>
- <para>
- Secrets that have been converted by <command>isc-hmac-fixup</command>
- are shortened, but as this is how the HMAC protocol works in
- operation anyway, it does not affect security. RFC 2104 notes,
- "Keys longer than [the digest length] are acceptable but the
- extra length would not significantly increase the function
- strength."
- </para>
- </refsect1>
- <refsect1>
- <title>SEE ALSO</title>
- <para>
- <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
- <citetitle>RFC 2104</citetitle>.
- </para>
- </refsect1>
- <refsect1>
- <title>AUTHOR</title>
- <para><corpauthor>Internet Systems Consortium</corpauthor>
- </para>
- </refsect1>
- </refentry><!--
- - Local variables:
- - mode: sgml
- - End:
- -->