Changes introduced in Go version 1.20 has made the net.LookupCNAME function unreliable or, at least, inconsistent from previous versions of Go on Unix systems.
The behavior is inconsistent, sometimes the correct canonical name is returned and everything functions normally. When the incorrect name is returned a KRB Error: (7) KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database - UNKNOWN_SERVER will occur when initiating outbound security context.
https://github.com/jcmturner/gokrb5/blob/v8.4.4/spnego/http.go#L181
Workaround:
For now, compile using a Go version prior to 1.20
This is mostly PSA.
Changes introduced in Go version 1.20 has made the net.LookupCNAME function unreliable or, at least, inconsistent from previous versions of Go on Unix systems.
Example: https://github.com/jcmturner/gokrb5/blob/v8.4.4/spnego/http.go#L165
Change: https://go-review.googlesource.com/c/go/+/446179
Issue: I have confirmed, first hand, this breaks existing applications using gokrb5 when DNS responds with multiple CNAMEs. As noted here: https://github.com/golang/go/issues/50101#issuecomment-1332607249
The behavior is inconsistent, sometimes the correct canonical name is returned and everything functions normally. When the incorrect name is returned a KRB Error: (7) KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database - UNKNOWN_SERVER will occur when initiating outbound security context. https://github.com/jcmturner/gokrb5/blob/v8.4.4/spnego/http.go#L181
Workaround: For now, compile using a Go version prior to 1.20
Additional Resources: https://github.com/golang/go/issues/59943 https://github.com/golang/go/issues/50101