Go 1.20.x: Inconsistent LookupCNAME breaks TGS Exchange (KDC_ERR_S_PRINCIPAL_UNKNOWN)
jbvmio opened this issue · comments
This is mostly PSA.
Changes introduced in Go version 1.20 has made the net.LookupCNAME function unreliable or, at least, inconsistent from previous versions of Go on Unix systems.
Example:
https://github.com/jcmturner/gokrb5/blob/v8.4.4/spnego/http.go#L165
Change:
https://go-review.googlesource.com/c/go/+/446179
Issue:
I have confirmed, first hand, this breaks existing applications using gokrb5 when DNS responds with multiple CNAMEs. As noted here: golang/go#50101 (comment)
The behavior is inconsistent, sometimes the correct canonical name is returned and everything functions normally. When the incorrect name is returned a KRB Error: (7) KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database - UNKNOWN_SERVER will occur when initiating outbound security context.
https://github.com/jcmturner/gokrb5/blob/v8.4.4/spnego/http.go#L181
Workaround:
For now, compile using a Go version prior to 1.20
Additional Resources:
golang/go#59943
golang/go#50101