Interoperability issues using TSIG with HMAC-SHA224
Evan Hunt
each at isc.org
Sat Jan 9 07:44:48 UTC 2010
> Has anyone else tried to communicate with TSIG using HMAC-SHA224 between
> BIND and other DNS implementations?
We've recently found out about an interoperability flaw affecting all the
HMAC-SHA* algorithms; it affects any key with a secret longer than the
digest length of the algorithm (which is 28 bytes, for HMAC-SHA224). If
your secret is longer than that, try a shorter key and see if that works.
If that's the problem, I can give you a workaround for the long key.
This bug will be fixed in BIND 9.7.0rc2; I'm not sure at this point whether
it will be backported into earlier releases.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list