GSS-TSIG

[D S]

With the following example:

https://github.com/rthalley/dnspython/pull/530#issuecomment-658959755

Looks like I'm having issues getting a completed security context

At this point:

response = dns.query.tcp(tkey_query,'x.x.x.x',timeout=10,port=53)

In the traceback seeing the following: 

dns.tsig.BadSignature: The TSIG signature fails to verify.

  File "gssapi/raw/message.pyx", line 135, in gssapi.raw.message.verify_mic

gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context

From the comments from the example author, it looks like changes were required in messages.py for the example to work at the time of its writing.  Has anybody been able to get this functioning/have a working sample?

[Bob Halley]

It looks like the (apparently obsolete) example code is expecting message.py to do some magic stepping but clearly the last step hasn't happened as you are getting an "Attempt to use incomplete security context"  error.  Rereading more of the giant thread I believe the message.py patch got replaced by passing a dns.tsig.GSSTsigAdapter as the keyring calling dns.message.from_wire().  This will automatically cause the final GSS step before TSIG validation happens.   I'm not sure how this works in client code, and alas I still can't test anything as I don't have a test environment for GSS-TSIG.

[D S]

Does this warrant creating an issue/bug in the Github project?  Currently testing with the master branch.

[Bob Halley]

Yes, it would be good to have a working client implementation in the library so people didn't have to figure out how to do the TKEY setup themselves.  So, I'm ok with opening an issue for it, but I will mark it as Author Needed as the dnspython maintainers don't have any way to test GSS-TSIG code against a Windows server.   I'd also say that getting that testing ability is essential to progress.