DNS SRV Records

Daniel Henninger daniel at unity.ncsu.edu
Thu Jan 8 17:10:41 EST 2004 

> > For various dns domains:
> > _kerberos			TXT	"EOS.NCSU.EDU"
> >  to map all machines ending in eos.ncsu.edu to the EOS.NCSU.EDU krb
> > realm.
> >
>
> Yes.  Note that there are security issues here, and other mechanisms
> are preferred.  (Unless you've got secure DNS set up, that is.)

The domain to realm mapping has security issues, or -all- of this does?



> > For the slave kerberos servers (pretend name is 'kslave'):
> > _kerberos._udp			SRV	0 0 88 kslave
> > _kerberos-iv._udp		SRV	0 0 750 kslave
> > _krb524._udp			SRV	0 0 4444 kslave
>
> You could use _kerberos._tcp here, as well.  And, actually, you'd put
> in these records for the master as well -- any server that will provide
> these services.

But theoretically we don't like normal clients "bothering" our master.
(just a decision we made...)  That's why I left those out.


> > For the master kerberos server (pretend name is 'kmaster'):
> > _kerberos-master._udp		SRV	0 0 88 kmaster
> > _kerberos-adm._udp		SRV	0 0 749 kmaster
> > _kpasswd._udp			SRV	0 0 464 kmaster
>
> kerberos-adm is a tcp service, not udp.  The MIT implementation doesn't
> actually look for that record when running kadmin, though.  (It does
> look for _kerberos-adm._tcp in the password changing code, if it can't
> find _kpasswd._udp.  It uses _kerberos-adm._tcp to find the host(s),
> and then uses UDP and the default kpasswd port number.  This is a poor
> heuristic and should not be relied on.)

And I actually have it has tcp, I just can't type apparantly.  =)  I went
ahead and added -adm just because the docs I read said "in the future
it'll be supported", so...  figured I'd get things in place for potential
future krb implementations.

> > Ok, something I haven't added that I just saw is:
> > _kerberos._tcp			SRV	0 0 0 .
> > Now.  I don't know what that's supposed to mean.  Does that fact that
> > it's
> > a 0 port and a . for the host mean "we don't support tcp kerberos yet"?
> > An indication to windows clients of sorts?  (I only say this in the
> > windows documentation)
>
> According to RFC 2782, "A DNS RR for specifying the location of
> services (DNS SRV)":
>
>      A Target of "." means that the service is decidedly not available
> at this domain.
>
> So, yes, it means TCP Kerberos service isn't supported.  But Windows
> clients aren't the only ones that look for TCP service; MIT's got the
> code too.

Does 1.2.8 support that?  (that's what we're running right now, I haven't
decided to delve us into the 1.3 series just yet)  I was to understand
from some changelogs that tcp support there was a 1.3 thing.


> Offhand, I think you've got them all.
>
> DNS should be used for krb4 if it's compiled in and there's no data for
> the realm in the other config files.

Sweet!  Let me make sure I understand the realm mappings 100%.  My
understand is that a default_realm under libdefaults makes it so the
domain -> realm mappings aren't that necessary.  IE, if I'm on
ghidora.unity.ncsu.edu, and my krb5.conf says my default_realm is
EOS.NCSU.EDU, then I don't need the mapping to say unity.ncsu.edu =
EOS.NCSU.EDU... right?

Daniel

-- 
/\\\----------------------------------------------------------------------///\
\ \\\      Daniel Henninger           http://www.vorpalcloud.org/        /// /
 \_\\\      North Carolina State University - Systems Programmer        ///_/
    \\\                   Information Technology <IT>                  ///
     """--------------------------------------------------------------"""

More information about the Kerberos mailing list