On 2010-01-09 07:44, Evan Hunt wrote: >> Has anyone else tried to communicate with TSIG using HMAC-SHA224 between >> BIND and other DNS implementations? > > We've recently found out about an interoperability flaw affecting all the > HMAC-SHA* algorithms; it affects any key with a secret longer than the > digest length of the algorithm (which is 28 bytes, for HMAC-SHA224). If > your secret is longer than that, try a shorter key and see if that works.
Evan, You hit the nail on the head. I should have thought to test shorter keys. I was using a 32-byte key. Just tested with 28 bytes and the problem does indeed go away with the shorter key. > If that's the problem, I can give you a workaround for the long key. I would very much appreciate that! > This bug will be fixed in BIND 9.7.0rc2; I'm not sure at this point whether > it will be backported into earlier releases. Well, I'll be happy to try packaging the workaround as a patch for the Red Hat folks at least. -- Jefferson Ogata : Internetworker, Antibozo _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
