[krbdev.mit.edu #6518] Krb documentation: Mapping Hostnames onto Kerberos Realms and Hostnames for KDCs

[Tom Yu via RT]

"Sharma, Shambhulal via RT" <rt-comment at krbdev.mit.edu> writes:

> Can someone please look into the CNAME related krb documentation and
> source code together whether I missed some thing. I debugged the krb
> code extensively to locate the code to find KDC names using CNAME
> records. Anyway the SVR DNS records are better way to program the
> KDC names.
>
> I will try to create a bug in krb bug tracking system as I could not
> find a way to do so yet.

Thanks; sending mail to krb5-bugs at mit.edu is sufficient to create a
bug in the bug tracking system.  Do you have suggestions for how to
update this documentation?

The suggestion in the documentation of using CNAME records is to
support the (obsolete) practice of listing of hostname aliases in
client configuration files.  For example, client configuration such
as:

[realms]
        EXAMPLE.COM = {
                kdc = kerberos.example.com
                kdc = kerberos-1.example.com
        }

will allow site administrators to replace KDC hosts with ones having
different canonical hostnames, as long as they update the CNAME
records in DNS to reflect those changes.

There is no explicit krb5 library code to handle CNAME records in this
situation; the library calls getaddrinfo() (it formerly called
gethostbyname() or similar) to look up the IP addresses, which would
automatically handle CNAME records.

Deployment experience has largely been that it is useful to minimize
the amount of explicit configuration on client hosts, so we no longer
recommend explicitly listing KDC hostnames (or aliases) in client
configuration files.

The documentation could probably make the above information more
clear.  What specific documentation changes do you think will best
convey the rationale for using CNAME records?