diff options
Diffstat (limited to 'bin/tools/isc-hmac-fixup.8')
| -rw-r--r-- | bin/tools/isc-hmac-fixup.8 | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/bin/tools/isc-hmac-fixup.8 b/bin/tools/isc-hmac-fixup.8 new file mode 100644 index 0000000..3124159 --- /dev/null +++ b/bin/tools/isc-hmac-fixup.8 @@ -0,0 +1,69 @@ +.\" Copyright (C) 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC") +.\" +.\" This Source Code Form is subject to the terms of the Mozilla Public +.\" License, v. 2.0. If a copy of the MPL was not distributed with this +.\" file, You can obtain one at http://mozilla.org/MPL/2.0/. +.\" +.hy 0 +.ad l +'\" t +.\" Title: isc-hmac-fixup +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 2013-04-28 +.\" Manual: BIND9 +.\" Source: ISC +.\" Language: English +.\" +.TH "ISC\-HMAC\-FIXUP" "8" "2013\-04\-28" "ISC" "BIND9" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +isc-hmac-fixup \- fixes HMAC keys generated by older versions of BIND +.SH "SYNOPSIS" +.HP \w'\fBisc\-hmac\-fixup\fR\ 'u +\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR} +.SH "DESCRIPTION" +.PP +Versions of BIND 9 up to and including BIND 9\&.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i\&.e\&., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations\&. +.PP +This bug was fixed in BIND 9\&.7\&. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys\&. +\fBisc\-hmac\-fixup\fR +modifies those keys to restore compatibility\&. +.PP +To modify a key, run +\fBisc\-hmac\-fixup\fR +and specify the key\*(Aqs algorithm and secret on the command line\&. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret\&. (If the secret did not require conversion, then it will be printed without modification\&.) +.SH "SECURITY CONSIDERATIONS" +.PP +Secrets that have been converted by +\fBisc\-hmac\-fixup\fR +are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security\&. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength\&." +.SH "SEE ALSO" +.PP +BIND 9 Administrator Reference Manual, +RFC 2104\&. +.SH "AUTHOR" +.PP +\fBInternet Systems Consortium, Inc\&.\fR +.SH "COPYRIGHT" +.br +Copyright \(co 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC") +.br |