Generate TSIGKEYRING for dns.update.Update - how to?

[Majus Misiak]

Hi,

I am trying to create (add) new DNS record on remote server using dnspython.

However, I am rather lost on how to provide correct authentication for the DNS Server for the library. Examples page http://www.dnspython.org/examples.html has a not on dns.tsigkeyring as in here:

Use DNS dynamic update to set the address of a host to a value specified on the command line:

import dns.query
import dns.tsigkeyring
import dns.update
import sys

keyring = dns.tsigkeyring.from_text({
    'host-example.' : 'XXXXXXXXXXXXXXXXXXXXXX=='
})

update = dns.update.Update('dyn.test.example', keyring=keyring)
update.replace('host', 300, 'a', sys.argv[1])

response = dns.query.tcp(update, '10.0.0.1')

I am using corparate DNS (from microsoft) and running script on Linux host (CentOS7, but I don't think it really matters). I do not have direct access to the DNS server itself, but I can authenticate via Krb5, as in here

$ kinit  majus...@CORPORATE.SERVER

Password for mami...@CORPORATE.SERVER: 

Warning: Your password will expire in 5 days on Sat 04 May 2019 06:24:59 PM CEST

$ klist

Ticket cache: KEYRING:persistent:1000:krb_ccache_nOk6TYF

Default principal: majus...@CORPORATE.SERVER

Valid starting       Expires              Service principal

04/29/2019 12:28:27  04/29/2019 22:28:27  krbtgt/CORPORAT...@CORPORATE.SERVER

renew until 05/06/2019 12:28:23

But since the key is already in persistent KEYRING, I do not see how to provide the key as `str` to the dns.update.Update().

What is the correct way to generate key in such environment?

[Bob Halley]

Dnspython does not do GSS-TSIG, which is a complex TSIG variant that uses Kerberos.  There are no plans to add this functionality to dnspython.  I don't know if it is possible to configure the Microsoft DNS server to do regular TSIG updates instead.

/Bob

[Majus Misiak]

Hi Bob,

Unfortunately this seems about right https://social.technet.microsoft.com/Forums/ie/en-US/d86b42f4-5397-444a-b16f-0ff6a90a8d8e/how-to-generate-tsig-key?forum=winserveripamdhcpdns

Microsoft Windows software does not support TSIG via hmac-md5, rather Microsoft has implemented a different mechanism for authenticating servers using GSS-TSIG.  For this reason, it is not possible to configure a Windows Server running the Microsoft DNS service to perform zone transfers from a server running BIND DNS configured as a master authoritative server with TSIG protection on the allow-transfer directive.

Adding GSS-TSIG support seems like a reasonable feature request for future -- if auth would be handled by thirdparty library, e.g. https://pypi.org/project/kerberos/ 

I know that is off-topic already - but are you aware of other tool that could do GSS-TSIG? I am aware about nsupdate, but it not very convenient to use and does not integrate with scripts well - this is the reason I came to dnspython in the first place.

Thanks for help btw!

[Bob Halley]

Even with a third party library, it's complicated.  The last time I did GSS-TSIG (commercially) it required patching Kerberos, and also additional library support as there's more to it than just Kerberos.  It may be that patching is no longer required, but I don't know.  It's also complex for dnspython because you're basically tunneling Kerberos stuff over the DNS via TKEY queries, in order to establish the shared secret you can then use in TSIG.  There are also a bunch of possible errors that need handling.  Implementing this stuff once was enough for me, so I'm not going to be the person writing it for dnspython.  I would integrate a high quality tested solution written by someone else, but I'd want assurances about the testing.  I'd rather not have GSS-TSIG than get bug reports on it that I wouldn't be able to fix or even replicate myself.  So if anyone is considering doing an implementation, I recommend discussing it with the dnspython maintainers on github before starting work.

I don't know of any other tools that might be more convenient.

/Bob

[Brian Candler]

I see that dnspython 2.1.0 has gained GSS-TSIG functionality (doc/whatsnew.rst).

Does anyone have any examples of using it in practice, including configuring the dnspython side and the AD side?

Thanks, Brian.

[Bob Halley]

Getting good worked out examples is something that still needs to be done.  I have no advice about setting up the AD side not having done that for like 15 years!  For the dnspython side, there is some example code buried in the middle of the long pull-request discussion about the feature, in Issue 530.  Scroll way down, unhide any hidden stuff, and look for the entry by Lollaskates on July 15, 2020.  That code might not be completely up-to-date, but it's a good start!

[Brian Candler]

Thank you! For future reference, here's a direct link to that comment: https://github.com/rthalley/dnspython/pull/530#issuecomment-658959755

[D S]

Brian, were you able to get this working with the code posted in the PR?

At this point:

response = dns.query.tcp(tkey_query,'x.x.x.x',timeout=10,port=53)

I'm getting: dns.tsig.BadSignature: The TSIG signature fails to verify.

From the comments, it looks like changes were required in messages.py for the example to work at the time of its writing