RFC2136 GSS-TSIG verify checksum fails #5123
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I configured RFC2136 provider with the gss-tsig authentication. I am able to authenticate against Windows AD and register records to Windows DNS, but the verification of the servers response message fails.
From the logs I see message:
2025-02-24T09:00:15Z" level=warning msg="warn in dns.Client.Exchange: checksum mismatch. Computed: xxxxxxxxxxxxxxxxxxxxxxxx, Contained in token: yyyyyyyyyyyyyyyyyyyyyyyy"
This message is from: https://github.com/jcmturner/gokrb5/blob/855dbc707a37a21467aef6c0245fcf3328dc39ed/v8/gssapi/MICToken.go#L119
Version used:
GSS-TSIG algorithm used is aes256-cts-hmac-sha1
External-DNS: v0.15.1
DNS Provider: rfc2136
I did try to use the code from master branch, but that version exits on the verify error and external-dns goes to restart loop. As that implementation seems to not ignore the checksum validation as it does in version v0.15.1. With the master, I also had problems with the Kerberos realm being overwritten with the zone in upper case, which is not correct in my case as the zone is different from the Kerberos realm.
The text was updated successfully, but these errors were encountered: