- isc-hmac-fixup - — fixes HMAC keys generated by older versions of BIND -
-
- isc-hmac-fixup
- {algorithm}
- {secret}
-
- Versions of BIND 9 up to and including BIND 9.6 had a bug causing - HMAC-SHA* TSIG keys which were longer than the digest length of the - hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys - longer than 256 bits, etc) to be used incorrectly, generating a - message authentication code that was incompatible with other DNS - implementations. -
-- This bug has been fixed in BIND 9.7. However, the fix may - cause incompatibility between older and newer versions of - BIND, when using long keys. isc-hmac-fixup - modifies those keys to restore compatibility. -
-- To modify a key, run isc-hmac-fixup and - specify the key's algorithm and secret on the command line. If the - secret is longer than the digest length of the algorithm (64 bytes - for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a - new secret will be generated consisting of a hash digest of the old - secret. (If the secret did not require conversion, then it will be - printed without modification.) -
-- Secrets that have been converted by isc-hmac-fixup - are shortened, but as this is how the HMAC protocol works in - operation anyway, it does not affect security. RFC 2104 notes, - "Keys longer than [the digest length] are acceptable but the - extra length would not significantly increase the function - strength." -
-- isc-hmac-fixup - — fixes HMAC keys generated by older versions of BIND -
-
- isc-hmac-fixup
- {algorithm}
- {secret}
-
- Versions of BIND 9 up to and including BIND 9.6 had a bug causing - HMAC-SHA* TSIG keys which were longer than the digest length of the - hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys - longer than 256 bits, etc) to be used incorrectly, generating a - message authentication code that was incompatible with other DNS - implementations. -
-- This bug has been fixed in BIND 9.7. However, the fix may - cause incompatibility between older and newer versions of - BIND, when using long keys. isc-hmac-fixup - modifies those keys to restore compatibility. -
-- To modify a key, run isc-hmac-fixup and - specify the key's algorithm and secret on the command line. If the - secret is longer than the digest length of the algorithm (64 bytes - for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a - new secret will be generated consisting of a hash digest of the old - secret. (If the secret did not require conversion, then it will be - printed without modification.) -
-- Secrets that have been converted by isc-hmac-fixup - are shortened, but as this is how the HMAC protocol works in - operation anyway, it does not affect security. RFC 2104 notes, - "Keys longer than [the digest length] are acceptable but the - extra length would not significantly increase the function - strength." -
-BIND 9.12.0b1
- - diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index fe52b2d672..8997a269ed 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -507,6 +507,14 @@ in a future release. [RT #42272] +