DNS SRV Records, other things

Ken Raeburn raeburn at MIT.EDU
Fri Jan 9 18:07:59 EST 2004


Daniel Henninger <daniel at unity.ncsu.edu> writes:

>> The domain to realm mapping, if spoofed, can trick a client program
>> into authenticating to the wrong realm.  If the appropriate principals
>> exist in that other realm (perhaps set up by a less than scrupulous
>> administrator), and the address record lookup is similarly spoofed (or
>> the traffic is intercepted, or anything similar), then the client would
>> quietly authenticate (successfully) to the wrong server, the user would
>> send his private data, etc.
>
> Eww...  Ok, I'm removing them.

Note that it's not the presence of the DNS TXT records that creates
the risk; it's the willingness to use TXT records by the client.  The
MIT clients won't use them by default.  All removing the TXT records
will do is prevent people in your realm or talking to your realm from
having things actually work if they do try turning on the option and
don't have the appropriate data in their config files.  (And if
someone does try it, and someone else is spoofing answers, it won't
matter whether you've got the TXT records or not.)

But that small disincentive, making the TXT record option less useful,
may still be worthwhile, if that fits with your security model.

Ken


More information about the Kerberos mailing list