diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 18:37:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 18:37:14 +0000 |
| commit | ea648e70a989cca190cd7403fe892fd2dcc290b4 (patch) | |
| tree | e2b6b1c647da68b0d4d66082835e256eb30970e8 /doc/arm/man.isc-hmac-fixup.html | |
| parent | Initial commit. (diff) | |
| download | bind9-upstream.tar.xz bind9-upstream.zip | |
Adding upstream version 1:9.11.5.P4+dfsg.upstream/1%9.11.5.P4+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/arm/man.isc-hmac-fixup.html')
| -rw-r--r-- | doc/arm/man.isc-hmac-fixup.html | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html new file mode 100644 index 0000000..02818a9 --- /dev/null +++ b/doc/arm/man.isc-hmac-fixup.html @@ -0,0 +1,131 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<!-- + - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC") + - + - This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. +--> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>isc-hmac-fixup</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> +<link rel="prev" href="man.genrandom.html" title="genrandom"> +<link rel="next" href="man.nsec3hash.html" title="nsec3hash"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="man.genrandom.html">Prev</a> </td> +<th width="60%" align="center">Manual pages</th> +<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="refentry"> +<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div> + + + + + + <div class="refnamediv"> +<h2>Name</h2> +<p> + <span class="application">isc-hmac-fixup</span> + — fixes HMAC keys generated by older versions of BIND + </p> +</div> + + + + <div class="refsynopsisdiv"> +<h2>Synopsis</h2> + <div class="cmdsynopsis"><p> + <code class="command">isc-hmac-fixup</code> + {<em class="replaceable"><code>algorithm</code></em>} + {<em class="replaceable"><code>secret</code></em>} + </p></div> + </div> + + <div class="refsection"> +<a name="id-1.14.34.7"></a><h2>DESCRIPTION</h2> + + <p> + Versions of BIND 9 up to and including BIND 9.6 had a bug causing + HMAC-SHA* TSIG keys which were longer than the digest length of the + hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys + longer than 256 bits, etc) to be used incorrectly, generating a + message authentication code that was incompatible with other DNS + implementations. + </p> + <p> + This bug was fixed in BIND 9.7. However, the fix may + cause incompatibility between older and newer versions of + BIND, when using long keys. <span class="command"><strong>isc-hmac-fixup</strong></span> + modifies those keys to restore compatibility. + </p> + <p> + To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and + specify the key's algorithm and secret on the command line. If the + secret is longer than the digest length of the algorithm (64 bytes + for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a + new secret will be generated consisting of a hash digest of the old + secret. (If the secret did not require conversion, then it will be + printed without modification.) + </p> + </div> + + <div class="refsection"> +<a name="id-1.14.34.8"></a><h2>SECURITY CONSIDERATIONS</h2> + + <p> + Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span> + are shortened, but as this is how the HMAC protocol works in + operation anyway, it does not affect security. RFC 2104 notes, + "Keys longer than [the digest length] are acceptable but the + extra length would not significantly increase the function + strength." + </p> + </div> + + <div class="refsection"> +<a name="id-1.14.34.9"></a><h2>SEE ALSO</h2> + + <p> + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 2104</em>. + </p> + </div> + +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="man.genrandom.html">Prev</a> </td> +<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> +<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top"> +<span class="application">genrandom</span> </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span> +</td> +</tr> +</table> +</div> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.5-P4 (Extended Support Version)</p> +</body> +</html> |