Establishing and destroying multiple contexts can lead to concurrent map access within the main GSS struct which causes a panic.

Adding a mutex around map writes should fix it.

nsupdate uses just GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG. Certainly having GSS_C_SEQUENCE_FLAG set may break when responses are received out of order, which can happen.

Currently hardcoded to use TCP, no way to specify IPv4/IPv6 only or tune the timeouts.

The negotiated context attempts to indicate the expiration time of the context however it never seems to match reality. The TKEY record has an expiry field which will indicate validity for an hour yet after five minutes the negotiated context will cease to work.

Perhaps the expiry field in the TKEY record needs to be ignored and the expiration is buried in the negotiated GSSAPI/Kerberos/SSPI context.

If a DNS query is used to locate the nameserver(s) then it could be returned with a trailing ., i.e. ns.example.com.. This needs to be stripped off for generating the SPN and passing to Exchange() when joined with a port argument.

Contains fixes for keytab loading

Every so often it will return "message too long" somewhere in the stack. nsupdate seems to always use TCP regardless so we should just do that.

Add a go.mod, etc.

The apcera code uses the following flags when creating the context:

However the gokrb5 version omits the mutual and replay flags:

Even though the mutual flag is there, it's added as the APReq options rather than the GSSAPI flags which seems wrong.

Based on changelog from gokrb5, they solved a "Potential leak of the SPNEGO client session due to reuse of the same cookie jar" and other minor fixes.

Hide the Apcera GSSAPI implementation behind a build tag so we always prefer the native Gokrb5 implementation on !windows.

Tests seem to break when ubuntu-latest switched to 22.04, suspect something to do with loopback networking.

Is it possible to add a wildcard record?
If I try to add "*.example.com. 300 A 192.0.2.1", I get this error:
"unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiator"

It appears that the terraform dns provider is throwing the error "Error updating DNS record: unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiator" from this package. See issue hashicorp/terraform-provider-dns#160

I have traced the issue to the parameters passed to https://github.com/bodgit/tsig/blob/v1.1.1/gss/gokrb5.go#L243

When changing the parameters to match those passed in the ns1 fork https://github.com/ns1/tsig/blob/master/gss/gokrb5.go#L150 the issue does not present itself. I am not sure why this resolves the issue and really have no insight into what the parameters do.

The issue is reproducible on an active directory dns server.

Try using jcmturner/gokrb5 instead which should remove the CGo requirement.

Hello 👋🏻 ,

Background

We recently had some questions about a confusing error that bubbled up from this library in the DNS terraform provider: hashicorp/terraform-provider-dns#128

Error updating DNS record: Error negotiating GSS context: configuration file could not be opened:  open : no such file or directory

This error is caused by not setting the KRB5_CONFIG environment variable and not having a valid config in one of the default locations defined here:

Looking a little deeper it seems in this situation that the blank file path is passed down to the jcmturner/gokrb5 library and then fails in the os.Open method: https://github.com/jcmturner/gokrb5/blob/2a265cd1f9a5e200336857e55e38ef3c06815891/config/krb5conf.go#L522

Proposal

• We could add more detail to the error message describing that no valid path was found in environment variable or default paths

Even though we now negotiate replay protection with the server when using gokrb5, we don't actually keep track of the sequence numbers used by the server; gokrb5 doesn't track this for us automatically unlike the other GSSAPI implementations.

Not sure if it's as simple as keeping a map[uint64]struct{}{} handy and store each received sequence number.

Can't currently pass a port. Highly unlikely a non-standard port would ever be used however it should be supported. Either extend the host argument to allow passing hostname:port which means we need to split it and get the hostname back out to be able to generate the SPN, etc. or add a separate port argument.

#86 allowed the acceptor subkey to be optional and to fall back to using the session key, however it seems that the subkey flag is always set, i.e.

Not sure how this isn't breaking things in the no subkey scenario, but that flag should be unset when no subkey is used.

Instead of adding support for any potential algorithm, it seems GSSAPI is literally the only missing algorithm. The crypto/ssh package solves this by allowing the passing of an interface, see https://godoc.org/golang.org/x/crypto/ssh#GSSAPIClient

Maybe try that and see if it's more palatable, problem as always is the maintainer.

Now there's a variadic parameter on the constructor, I could drop the required first parameter and add a gss.WithDNSClient(client) option function, and make the default a new dns.Client with the transport set to tcp.

This would be a v2 change.

Due to the upstream maintainer not willing to participate on the PR to add support for GSS-TSIG I'm left with the only solution being to copy enough of the dns.Client code in order to be able to add non-HMAC functionality.

Apcera gssapi dependency repository seems to be 404.