Question about dns_lookup_realm and domain_realm

Simo Sorce ssorce at redhat.com
Fri Jun 27 11:17:11 EDT 2008


On Fri, 2008-06-27 at 01:57 -0400, Jeffrey Altman wrote:
> Jos Backus wrote:
> > On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote:
> >> This behavior was most likely broken when the referrals code was added. 
> >
> > So it's a regression. Until this is fixed properly (which I don't claim my
> > patch does :-) ) I'm possibly need of a workaround. Do you see anything wrong
> > with the patch as such?

> There are several issues here.  First, DNS TXT records are known to be 
> insecure.

Jeff,
this statements is interesting, how are TXT records "insecure" ?

>   Turning
> them on for use in realm resolution provides for convenience but at the 
> risk that your clients
> can be redirected to a realm that you do not control.

You can do the same with DNS poisoning, if you do not trust DNS any name
resolution becomes "insecure".
Isn't "validation" all about verifying the KDC is one we can really
trust by using a trusted secret ?

> Second, any domain_realm mapping for your domain .foo.com is going to 
> override the use
> of DNS lookups.  That is because local configuration data is considered 
> to be trustworthy
> whereas DNS lookups are not.

How is local configuration data trustworthy given that to resolve names
to IPs we still rely on DNS ? Or do you also rely on /etc/hosts for most
of the data ?

> The safe way to add DNS TXT records back into the equation would be to 
> add the DNS TXT
> lookup after the referrals request fails.

Do we have information on which clients support referrals ?
And are they implemented in MIT KDC (and how) ?

thanks,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Kerberos mailing list