loadbalancing of keberized services
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Apr 13 14:42:08 EDT 2004
On Monday, April 12, 2004 16:52:23 -0700 Donn Cave <donn at u.washington.edu>
wrote:
> I believe we're more or less always asking for this trouble.
> If you don't get a canonical, reverse looked-up name back
> out of MIT Kerberos krb5_sname_to_principal(), then you're
> doing something different than me.
Well, for starters, I don't call MIT kerberos krb5_sname_to_principal()
very often, since I don't currently use that implementation.
Performing DNS alias resolution in krb5_sname_to_principal() is insecure
unless you have a well-managed DNSSEC infrastructure, which virtually no
one does. I have always considered this behaviour to be an implementation
bug. While this is not addressed well enough in RFC1510, the next version
of the Kerberos V spec (due out later this year) will include the following
text:
Implementations of Kerberos and protocols based on Kerberos MUST
NOT use insecure DNS queries to canonicalize the hostname
components of the service principal names (i.e. MUST NOT use
insecure DNS queries to map one name to another to determine the
host part of the principal name with which one is to communicate).
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list