Question about dns_lookup_realm and domain_realm

Jeffrey Altman jaltman at secure-endpoints.com
Fri Jun 27 00:52:49 EDT 2008


Jos Backus wrote:
> (I know, following up on myself...)
>
> http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS says:
>
> "The second mechanism works by looking up the information in special TXT
> records in the Domain Name Service. This is currently not used by default
> because security holes could result if the DNS TXT records were spoofed. If
> this mechanism is enabled on the client, it will try to look up a TXT record
> for the DNS name formed by putting the prefix _kerberos in front of the
> hostname in question."
>
> (Fwiw, 1.5.4 has similar verbiage.) The dns_lookup_realm libdefaults option
> supposedly enables this mechanism on the client. The doc for it says:
>
> "Indicate whether DNS TXT records should be used to determine the Kerberos
> realm of a host."
>
> However, this doesn't actually work (at least in krb5 1.6.1, and likely other
> MIT versions as well), so either the docs are incorrect or there's a bug.
>
This behavior was most likely broken when the referrals code was added. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080627/886a7455/attachment.bin


More information about the Kerberos mailing list