RFC: Turning off reverse hostname resolution by default in 1.10

Jeffrey Altman jaltman at secure-endpoints.com
Wed Jul 6 13:49:57 EDT 2011


Getting rid of the reverse dns lookups for canonical name resolution is
the right thing to do and will finally bring MIT Kerberos into
compliance with RFC 4120.  It will impact the help desks of a large
number of sites.  I believe that as part of such a change MIT should
change the version number to 2.0 in order to make clear that there is
something major that sites need to pay attention to.

Jeffrey Altman


On 7/6/2011 1:27 PM, ghudson at MIT.EDU wrote:
> When creating service principals from hostnames, MIT krb5 performs two
> canonicalization steps by default:
> 
>   1. Ask getaddrinfo() for the canonical name of the host, which
>   converts non-fully-qualified domain names to fully-qualified ones
>   and also resolves CNAME records in DNS.
> 
>   2. Use getnameinfo() to reverse-canonicalize the address resulting
>   from the gaddrinfo call.  Typically, this results in a PTR lookup in
>   DNS.  This step can be suppressed by setting rdns = false in
>   libdefaults.
> 
> Neither of these steps is especially secure in most deployments.  We
> have long-term plans to address that.  But, the second step in
> particular also introduces a usability cost for new deployments
> whenever there are mismatched PTR records.
> 
> We are considering turning off rdns by default in MIT krb5 1.10.  In
> the past we've shied away from changing the default because we've been
> afraid of creating upgrade pain.  But after consideration, we're not
> sure there's likely to be much impact.
> 
> Does anyone on this list intentionally rely on PTR lookups for
> Kerberos hostname canonicalization?
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20110706/59e96864/attachment.bin


More information about the Kerberos mailing list