Kerberos authentication without reverse lookup
Rachel Elizabeth Dillon
red at MIT.EDU
Mon Jan 17 16:49:14 EST 2005
On Mon, Jan 17, 2005 at 04:40:59AM +0100, Fredrik Tolf wrote:
> I was thinking about adding local hints to our own reverse zones to our
> Bind configs to make reverse lookups work just between our own networks,
> but that will be extremely difficult at best, since he has a dynamic IP.
> We can figure out how to update the forward zones when his IP changes,
> but since updating the reverse zones involves creating an entire new
> zone each time, that solution feels a bit hopeless... :-(
Making a new zone is not particularly harder than updating an existing
sone. It will lead to a bunch of useless reverse zone files, but you could
write a script to clean those up too. I am assuming that you are running
your own DNS servers here; if not, I am not sure what you would do. If
you are running your own DNS server, you still have to tread carefully
when making yourself the primary source of reverse DNS information, but
I think you should be able to do it. (You should even be able to set up
something that does the updates automatically; I would use Net::DNS in
Perl to do this, but I am sure there are plenty of fine solutions.)
> So, is there anyone who has experienced a similar situation before and
> solved it? Is there, by any chance, another way of letting Kerberos
> canonicalize service principal names?
I've never had to deal with this personally, nor do I know of another way
to canonicalize service principal names; I just happen to have been doing
a lot of work with DNS recently. :)
Best of luck,
-r.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050117/0b43cd23/attachment.bin
More information about the Kerberos
mailing list