dns-rfc2136: GSS-TSIG (Kerberos) authentication

[grawity]

This would close #7370. It raises the dnspython dependency to 2.1.0 and adds an optional runtime dependency on python-gssapi (and therefore on MIT Krb5 or possibly Heimdal) – although that's only imported when needed so HMAC-TSIG still functions without GSSAPI, and practically anyone who wants GSS-TSIG will already have Krb5 anyway.

[alexzorin]

Hi,

Thank you for your contribution.

After reflecting on this PR for a while, I think it is probably unlikely that we would be willing to take this functionality on. The reason is that the functionality needs to be owned by someone: maintained and tested into the future. To do this, we would have to extend our RFC2136 integration testing environment to include an implementation of a Kerberos server and to have a understanding about the use case.

I think we (at least speaking for myself) are currently unwilling to do this ourselves unless there was a widespread demand for this functionality from our users, which we haven't seen yet. (Though I do see some demand in the linked issue, actually).

You would be welcome to publish this as a third-party plugin.

An afterthought: if it is possible to do an integration test for this without having a standalone Kerberos server (i.e. the GSS credentials are integrated entirely into BIND configuration) then I'd reconsider.

[grawity]

I was thinking about making this a separate plugin, but I'm not sure whether it should be fully separate (with GSS-TSIG as the only mode), or whether it should remain a fork of the current plugin (i.e. GSS added while keeping the HMAC-TSIG support). As you can see I'm still struggling to get the Mypy type-checking right (so the PR is functional but still very much a draft), so adding tests would take a while longer still.

An afterthought: if it is possible to do an integration test for this without having a standalone Kerberos server (i.e. the GSS credentials are integrated entirely into BIND configuration) then I'd reconsider.

That's already the case from the BIND side, but it can't be 100% standalone as the GSS client (i.e. nsupdate or Certbot) needs to talk to a Kerberos KDC to retrieve credentials.

However, it doesn't have to be a full Active Directory or Samba installation – it can be a standalone MIT Krb5 or Heimdal krb5kdc daemon running on the same system, with a file-based database. (For what it's worth, a minimal MIT KDC setup would look like this, with the client talking to a hardcoded kdc = localhost:$PORT).

(I suspect everyone else's use case is Active Directory and AD-integrated Windows DNS Server, but I was in fact testing against a MIT KDC and BIND 9.)

[alexzorin]

I'm still struggling to get the Mypy type-checking right

The typing stubs for dnspython are outdated so you more or less have to ignore the false positives like this.

I was thinking about making this a separate plugin, but I'm not sure whether it should be fully separate (with GSS-TSIG as the only mode), or whether it should remain a fork of the current plugin (i.e. GSS added while keeping the HMAC-TSIG support).

I think, whatever would be easier for you to maintain.