DNS SRV Records, other things

Daniel Henninger daniel at unity.ncsu.edu
Fri Jan 9 08:06:49 EST 2004


> The domain to realm mapping, if spoofed, can trick a client program
> into authenticating to the wrong realm.  If the appropriate principals
> exist in that other realm (perhaps set up by a less than scrupulous
> administrator), and the address record lookup is similarly spoofed (or
> the traffic is intercepted, or anything similar), then the client would
> quietly authenticate (successfully) to the wrong server, the user would
> send his private data, etc.

Eww...  Ok, I'm removing them.

> Ah, yes, that's fine too.  At MIT, at least, we haven't noticed client
> exchanges being a significant load, so we don't worry about it.  You
> could also use SRV record priorities (which we support) and weights
> (which we don't, yet) to express other policies, like using the master
> if no answer is heard from the slaves, or (if you want to implement
> weights, hint hint :-) sending a much smaller fraction of the traffic
> to the master than to any of the slaves, etc.

*grin*  I may look into it if I can find some free time!


Ok, one unrelated-to-dns srv thing.  We changed the way we do a couple of
things when we moved to 1.2.8 (and Solaris 8).  Previously, every morning
we restarted krb5kdc to rotate it's logs.  Very brief outage, obviously.
Now, however, I make use of syslog so we don't have to ever have any
outage what-so-ever.  That said, for some reason krb524d seems to have a
"leak" or something.  After X days (X I haven't determined exactly yet,
and it might not be a set number) krb524d croaks, no errors in the logs,
no nothing.  I resorted to running a job to check for it and bring it back
up if it dies, but...   I don't understand why it's "suddenly" croaking on
a somewhat regular basis.  Are there known issues with it?  (for that
matter, was it ever made non-experimental/alpha/whatever it was labeled
before?)  At first I figured we used to restart it nightly as well, but
that turned out not to be the case.

Daniel

-- 
/\\\----------------------------------------------------------------------///\
\ \\\      Daniel Henninger           http://www.vorpalcloud.org/        /// /
 \_\\\      North Carolina State University - Systems Programmer        ///_/
    \\\                   Information Technology <IT>                  ///
     """--------------------------------------------------------------"""


More information about the Kerberos mailing list