Kerberos authentication without reverse lookup
Roland Dowdeswell
elric at imrryr.org
Wed Jan 19 13:10:18 EST 2005
On 1106156684 seconds since the Beginning of the UNIX epoch
Donn Cave wrote:
>
> Fredrik Tolf <fredrik at dolda2000.com> wrote:
>> I'm sorry if I'm wrong, but doesn't getaddrinfo get ai_canonname by
>> doing a reverse lookup? When I tried it out, at least that is what
>> happened.
That's unfortunate.
>It depends on the platform. The GNU getaddrinfo implementation
>does. I'm assuming AI_CANONNAME in ai_flags.
>
>NetBSD 2.0, AIX 5.2 don't, they stop at what you'd get from
>gethostbyname() -- they look up CNAME aliases but don't
>look up the IP PTR.
>
>Also might be worth mentioning that the MIT implementation
>also uses this in several places, though in the critical
>sname_to_principal() function it uses getnameinfo for the
>lookup.
>
>Secure DNS would be nice for all this.
IMO, using IP PTRs is the wrong way to do this. Even with Secure
DNS, you are less likely to trust the IP PTR RRs because they are
frequently controlled by a different organisation. E.g. my laptop
at random locations: I can use Dynamic DNS to update the forward
lookups properly, but I do not control the IP PTR RRs. Even if I
have a secure way of querying the PTR RRs, they are not under my
control and therefore I should not trust them. Or if I have a
machine co-located, the PTR RRs are under the control of the ISP
not me. PTR RRs should not be used (IMO, again) for any security
sensitive reason---even with secure DNS.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the Kerberos
mailing list