Question about dns_lookup_realm and domain_realm
Danny Mayer
mayer at ntp.isc.org
Sun Jun 29 23:54:32 EDT 2008
Jeffrey Altman wrote:
> Jos Backus wrote:
>> On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote:
>>> This behavior was most likely broken when the referrals code was added.
>>
>> So it's a regression. Until this is fixed properly (which I don't
>> claim my
>> patch does :-) ) I'm possibly need of a workaround. Do you see
>> anything wrong
>> with the patch as such?
> There are several issues here. First, DNS TXT records are known to be
> insecure. Turning
> them on for use in realm resolution provides for convenience but at the
> risk that your clients
> can be redirected to a realm that you do not control.
There is nothing insecure about DNS TXT records, any more than any other
record in the DNS. I'm not sure where this idea came from.
Danny
More information about the Kerberos
mailing list