diff options
Diffstat (limited to '')
| -rw-r--r-- | bin/tools/isc-hmac-fixup.docbook | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/bin/tools/isc-hmac-fixup.docbook b/bin/tools/isc-hmac-fixup.docbook new file mode 100644 index 0000000..ecf32f3 --- /dev/null +++ b/bin/tools/isc-hmac-fixup.docbook @@ -0,0 +1,102 @@ +<!-- + - Copyright (C) Internet Systems Consortium, Inc. ("ISC") + - + - This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. + - + - See the COPYRIGHT file distributed with this work for additional + - information regarding copyright ownership. +--> + +<!-- Converted by db4-upgrade version 1.0 --> +<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup"> + <info> + <date>2013-04-28</date> + </info> + <refentryinfo> + <corpname>ISC</corpname> + <corpauthor>Internet Systems Consortium, Inc.</corpauthor> + </refentryinfo> + + <refmeta> + <refentrytitle><application>isc-hmac-fixup</application></refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> + + <refnamediv> + <refname><application>isc-hmac-fixup</application></refname> + <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose> + </refnamediv> + + <docinfo> + <copyright> + <year>2010</year> + <year>2013</year> + <year>2014</year> + <year>2015</year> + <year>2016</year> + <year>2017</year> + <year>2018</year> + <year>2019</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + </docinfo> + + <refsynopsisdiv> + <cmdsynopsis sepchar=" "> + <command>isc-hmac-fixup</command> + <arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg> + <arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsection><info><title>DESCRIPTION</title></info> + + <para> + Versions of BIND 9 up to and including BIND 9.6 had a bug causing + HMAC-SHA* TSIG keys which were longer than the digest length of the + hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys + longer than 256 bits, etc) to be used incorrectly, generating a + message authentication code that was incompatible with other DNS + implementations. + </para> + <para> + This bug was fixed in BIND 9.7. However, the fix may + cause incompatibility between older and newer versions of + BIND, when using long keys. <command>isc-hmac-fixup</command> + modifies those keys to restore compatibility. + </para> + <para> + To modify a key, run <command>isc-hmac-fixup</command> and + specify the key's algorithm and secret on the command line. If the + secret is longer than the digest length of the algorithm (64 bytes + for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a + new secret will be generated consisting of a hash digest of the old + secret. (If the secret did not require conversion, then it will be + printed without modification.) + </para> + </refsection> + + <refsection><info><title>SECURITY CONSIDERATIONS</title></info> + + <para> + Secrets that have been converted by <command>isc-hmac-fixup</command> + are shortened, but as this is how the HMAC protocol works in + operation anyway, it does not affect security. RFC 2104 notes, + "Keys longer than [the digest length] are acceptable but the + extra length would not significantly increase the function + strength." + </para> + </refsection> + + <refsection><info><title>SEE ALSO</title></info> + + <para> + <citetitle>BIND 9 Administrator Reference Manual</citetitle>, + <citetitle>RFC 2104</citetitle>. + </para> + </refsection> + +</refentry> |