3.1.5.1 Handling the MAC Field While Digesting DNS Messages
GSS-TSIG, as specified in [RFC3645], specifies how the client and server exchange tokens obtained from GSS-API calls (as specified in [RFC2743]). The tokens are contained in DNS TKEY records, as specified in [RFC2930]. In [RFC3645] section 4.1.3, GSS-TSIG specifies that the server MUST sign the final TKEY response in GSS-TSIG negotiation.
In [RFC2845] section 3.4.3, TSIG specifies that the request message authentication code (MAC) is to be included in the digest when generating or validating a DNS message. However, because the final TKEY response in the GSS-TSIG is the first DNS message in the exchange that has been signed, there is no request MAC that can be included when performing the digest operation.
When there is no request MAC, the most obvious interpretation of [RFC2845] section 3.4.3 is that the 2-byte MAC length with a value of zero be included in the digest to indicate that no MAC data bytes are being included in the digest. This protocol extension specifies that when building the digest for this message, the request MAC MUST be completely omitted. In other words, the request MAC length and request MAC data fields MUST NOT be included in the digest, so the only components of the digest will be the DNS response message and TSIG response variables.
After GSS-TSIG negotiation is complete, the digesting of further DNS messages MUST include the request MAC, as specified in [RFC2845] section 3.4.