RFC2136 GSS-TSIG verify checksum fails

[kluoto]

trafficstars

I configured RFC2136 provider with the gss-tsig authentication. I am able to authenticate against Windows AD and register records to Windows DNS, but the verification of the servers response message fails.

From the logs I see message:

2025-02-24T09:00:15Z" level=warning msg="warn in dns.Client.Exchange: checksum mismatch. Computed: xxxxxxxxxxxxxxxxxxxxxxxx, Contained in token: yyyyyyyyyyyyyyyyyyyyyyyy"

This message is from: https://github.com/jcmturner/gokrb5/blob/855dbc707a37a21467aef6c0245fcf3328dc39ed/v8/gssapi/MICToken.go#L119

Version used:

GSS-TSIG algorithm used is aes256-cts-hmac-sha1 External-DNS: v0.15.1 DNS Provider: rfc2136

I did try to use the code from master branch, but that version exits on the verify error and external-dns goes to restart loop. As that implementation seems to not ignore the checksum validation as it does in version v0.15.1. With the master, I also had problems with the Kerberos realm being overwritten with the zone in upper case, which is not correct in my case as the zone is different from the Kerberos realm.