DNS SRV Records, other things
Daniel Henninger
daniel at unity.ncsu.edu
Fri Jan 9 08:06:49 EST 2004
> The domain to realm mapping, if spoofed, can trick a client program
> into authenticating to the wrong realm. If the appropriate principals
> exist in that other realm (perhaps set up by a less than scrupulous
> administrator), and the address record lookup is similarly spoofed (or
> the traffic is intercepted, or anything similar), then the client would
> quietly authenticate (successfully) to the wrong server, the user would
> send his private data, etc.
Eww... Ok, I'm removing them.
> Ah, yes, that's fine too. At MIT, at least, we haven't noticed client
> exchanges being a significant load, so we don't worry about it. You
> could also use SRV record priorities (which we support) and weights
> (which we don't, yet) to express other policies, like using the master
> if no answer is heard from the slaves, or (if you want to implement
> weights, hint hint :-) sending a much smaller fraction of the traffic
> to the master than to any of the slaves, etc.
*grin* I may look into it if I can find some free time!
Ok, one unrelated-to-dns srv thing. We changed the way we do a couple of
things when we moved to 1.2.8 (and Solaris 8). Previously, every morning
we restarted krb5kdc to rotate it's logs. Very brief outage, obviously.
Now, however, I make use of syslog so we don't have to ever have any
outage what-so-ever. That said, for some reason krb524d seems to have a
"leak" or something. After X days (X I haven't determined exactly yet,
and it might not be a set number) krb524d croaks, no errors in the logs,
no nothing. I resorted to running a job to check for it and bring it back
up if it dies, but... I don't understand why it's "suddenly" croaking on
a somewhat regular basis. Are there known issues with it? (for that
matter, was it ever made non-experimental/alpha/whatever it was labeled
before?) At first I figured we used to restart it nightly as well, but
that turned out not to be the case.
Daniel
--
/\\\----------------------------------------------------------------------///\
\ \\\ Daniel Henninger http://www.vorpalcloud.org/ /// /
\_\\\ North Carolina State University - Systems Programmer ///_/
\\\ Information Technology <IT> ///
"""--------------------------------------------------------------"""
More information about the Kerberos
mailing list