loadbalancing of keberized services
Donn Cave
donn at u.washington.edu
Mon Apr 12 19:52:23 EDT 2004
In article <1654180000.1081809295 at minbar.fac.cs.cmu.edu>,
jhutz at cmu.edu (Jeffrey Hutzelman) wrote:
> On Saturday, April 10, 2004 16:47:21 +0000 Donn Cave <donn at drizzle.com>
> wrote:
>
> > It depends on your client software. All you need to do is resolve the
> > addresses to canonical host name first, and use the resolved name for
> > both the client connect and the service ticket.
>
> Careful here... Using insecure DNS to compute a service principal name is
> asking for trouble. You're OK if, as suggested, you compare the resulting
> name to a list of known valid servers, but that's a fair bit of work and
> most software that does reverse resolution to determine service names
> either can't or doesn't do it.
I believe we're more or less always asking for this trouble.
If you don't get a canonical, reverse looked-up name back
out of MIT Kerberos krb5_sname_to_principal(), then you're
doing something different than me.
Given that implementation, you're going to do the reverse
lookup anyway, so the only question is whether it would be
convenient to actually connect to the same host. I assume
so, that's why I'd propose to look up the canonical name in
the application.
Donn Cave, donn at u.washington.edu
More information about the Kerberos
mailing list