Interoperability issues using TSIG with HMAC-SHA224
Jefferson Ogata
bind-users1 at antibozo.net
Sat Jan 9 22:01:42 UTC 2010
On 2010-01-09 07:44, Evan Hunt wrote:
>> Has anyone else tried to communicate with TSIG using HMAC-SHA224 between
>> BIND and other DNS implementations?
>
> We've recently found out about an interoperability flaw affecting all the
> HMAC-SHA* algorithms; it affects any key with a secret longer than the
> digest length of the algorithm (which is 28 bytes, for HMAC-SHA224). If
> your secret is longer than that, try a shorter key and see if that works.
Evan,
You hit the nail on the head. I should have thought to test shorter
keys. I was using a 32-byte key. Just tested with 28 bytes and the
problem does indeed go away with the shorter key.
> If that's the problem, I can give you a workaround for the long key.
I would very much appreciate that!
> This bug will be fixed in BIND 9.7.0rc2; I'm not sure at this point whether
> it will be backported into earlier releases.
Well, I'll be happy to try packaging the workaround as a patch for the
Red Hat folks at least.
--
Jefferson Ogata : Internetworker, Antibozo
More information about the bind-users
mailing list