Question about dns_lookup_realm and domain_realm

Jos Backus jos at catnook.com
Thu Jun 26 23:04:34 EDT 2008


(I know, following up on myself...)

http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS says:

"The second mechanism works by looking up the information in special TXT
records in the Domain Name Service. This is currently not used by default
because security holes could result if the DNS TXT records were spoofed. If
this mechanism is enabled on the client, it will try to look up a TXT record
for the DNS name formed by putting the prefix _kerberos in front of the
hostname in question."

(Fwiw, 1.5.4 has similar verbiage.) The dns_lookup_realm libdefaults option
supposedly enables this mechanism on the client. The doc for it says:

"Indicate whether DNS TXT records should be used to determine the Kerberos
realm of a host."

However, this doesn't actually work (at least in krb5 1.6.1, and likely other
MIT versions as well), so either the docs are incorrect or there's a bug.

Clients appear to use krb5_get_host_realm() (perhaps through calling
krb5_sname_to_principal(), as in the case of kprop.c), _not_
krb5_get_fallback_host_realm() which does have code to lookup a _kerberos.FQDN
TXT RR (but doesn't handle domain_realm).

The attached proof-of-concept patch adds a new libdefaults option,
dns_lookup_host_realm, which corrects this. When set (it defaults to false),
the DNS TXT RR lookup is attempted first, and if it succeeds, the TXT RR's
value is used as the realm.

The code is cribbed from krb5_get_fallback_host_realm(), so some refactoring
is clearly needed. Also, I realize there's no documentation. If you think this
is a useful change I'm willing to clean it up some more and add documentation.
Otherwise I'll just keep it as a local patch, as it fixes my particular issue.

Thanks,
-- 
Jos Backus
jos at catnook.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kerberos-dns_lookup_host_realm.diff
Type: text/x-diff
Size: 3794 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080626/30d30b3e/attachment.bin


More information about the Kerberos mailing list