/contrib/bind9/bin/tools/isc-hmac-fixup.html
https://bitbucket.org/freebsd/freebsd-head/ · HTML · 83 lines · 67 code · 0 blank · 16 comment · 0 complexity · d3f708e731d2a3076eac21b003de7899 MD5 · raw file
- <!--
- - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
- -->
- <!-- $Id$ -->
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
- <title>isc-hmac-fixup</title>
- <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
- </head>
- <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
- <a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
- <div class="refnamediv">
- <h2>Name</h2>
- <p><span class="application">isc-hmac-fixup</span> — fixes HMAC keys generated by older versions of BIND</p>
- </div>
- <div class="refsynopsisdiv">
- <h2>Synopsis</h2>
- <div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
- </div>
- <div class="refsect1" lang="en">
- <a name="id2543352"></a><h2>DESCRIPTION</h2>
- <p>
- Versions of BIND 9 up to and including BIND 9.6 had a bug causing
- HMAC-SHA* TSIG keys which were longer than the digest length of the
- hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
- longer than 256 bits, etc) to be used incorrectly, generating a
- message authentication code that was incompatible with other DNS
- implementations.
- </p>
- <p>
- This bug has been fixed in BIND 9.7. However, the fix may
- cause incompatibility between older and newer versions of
- BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
- modifies those keys to restore compatibility.
- </p>
- <p>
- To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
- specify the key's algorithm and secret on the command line. If the
- secret is longer than the digest length of the algorithm (64 bytes
- for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
- new secret will be generated consisting of a hash digest of the old
- secret. (If the secret did not require conversion, then it will be
- printed without modification.)
- </p>
- </div>
- <div class="refsect1" lang="en">
- <a name="id2543376"></a><h2>SECURITY CONSIDERATIONS</h2>
- <p>
- Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
- are shortened, but as this is how the HMAC protocol works in
- operation anyway, it does not affect security. RFC 2104 notes,
- "Keys longer than [the digest length] are acceptable but the
- extra length would not significantly increase the function
- strength."
- </p>
- </div>
- <div class="refsect1" lang="en">
- <a name="id2543389"></a><h2>SEE ALSO</h2>
- <p>
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 2104</em>.
- </p>
- </div>
- <div class="refsect1" lang="en">
- <a name="id2543406"></a><h2>AUTHOR</h2>
- <p><span class="corpauthor">Internet Systems Consortium</span>
- </p>
- </div>
- </div></body>
- </html>