DNS SRV Records

Ken Raeburn raeburn at MIT.EDU
Thu Jan 8 16:55:34 EST 2004 

On Thursday, Jan 8, 2004, at 16:18 US/Eastern, Daniel Henninger wrote:
> I'm trying to figure out what all of the current (and future supported)
> SRV records for Kerberos are, and some meanings here and there.
>
> So here's the type of entries I have:
>
> For various dns domains:
> _kerberos			TXT	"EOS.NCSU.EDU"
>  to map all machines ending in eos.ncsu.edu to the EOS.NCSU.EDU krb 
> realm.
>

Yes.  Note that there are security issues here, and other mechanisms 
are preferred.  (Unless you've got secure DNS set up, that is.)

>
> For the slave kerberos servers (pretend name is 'kslave'):
> _kerberos._udp			SRV	0 0 88 kslave
> _kerberos-iv._udp		SRV	0 0 750 kslave
> _krb524._udp			SRV	0 0 4444 kslave

You could use _kerberos._tcp here, as well.  And, actually, you'd put 
in these records for the master as well -- any server that will provide 
these services.

> For the master kerberos server (pretend name is 'kmaster'):
> _kerberos-master._udp		SRV	0 0 88 kmaster
> _kerberos-adm._udp		SRV	0 0 749 kmaster
> _kpasswd._udp			SRV	0 0 464 kmaster

kerberos-adm is a tcp service, not udp.  The MIT implementation doesn't 
actually look for that record when running kadmin, though.  (It does 
look for _kerberos-adm._tcp in the password changing code, if it can't 
find _kpasswd._udp.  It uses _kerberos-adm._tcp to find the host(s), 
and then uses UDP and the default kpasswd port number.  This is a poor 
heuristic and should not be relied on.)

> Ok, something I haven't added that I just saw is:
> _kerberos._tcp			SRV	0 0 0 .
> Now.  I don't know what that's supposed to mean.  Does that fact that 
> it's
> a 0 port and a . for the host mean "we don't support tcp kerberos yet"?
> An indication to windows clients of sorts?  (I only say this in the
> windows documentation)

According to RFC 2782, "A DNS RR for specifying the location of 
services (DNS SRV)":

     A Target of "." means that the service is decidedly not available 
at this domain.

So, yes, it means TCP Kerberos service isn't supported.  But Windows 
clients aren't the only ones that look for TCP service; MIT's got the 
code too.


> Also, are the other records that I'm missing/don't know about?  Are 
> there
> ones above that absolutely nothing uses?  How do you manage to tell 
> krb4
> to use dns lookups instead of krb.conf and krb.realms?
>

Offhand, I think you've got them all.

DNS should be used for krb4 if it's compiled in and there's no data for 
the realm in the other config files.

Ken

More information about the Kerberos mailing list