Question about dns_lookup_realm and domain_realm

Ken Raeburn raeburn at MIT.EDU
Fri Jun 27 11:32:28 EDT 2008


On Jun 27, 2008, at 11:17, Simo Sorce wrote:
> this statements is interesting, how are TXT records "insecure" ?

If a forged TXT RR is received, the client may be told the server is  
in a different realm.  That realm may have been compromised by an  
attacker, and cross-realm authentication to it may be possible  
(especially if and when we get something PKINIT-like deployed).  So  
the client can "successfully" authenticate to host/server.foo.com at BLACK-HATS.TLD 
, and never know that that's not the principal it should be  
authenticating to for server.foo.com.

> Isn't "validation" all about verifying the KDC is one we can really
> trust by using a trusted secret ?

Cross-realm authentication and the possibility of compromised  
"neighbor" realms makes it much more complicated.

> How is local configuration data trustworthy given that to resolve  
> names
> to IPs we still rely on DNS ?

Trusting address records from DNS, but not trusting DNS at all for  
authentication purposes, would mean the attacker could get the client  
to connect to server.black-hats.tld, but it would try authenticating  
to the originally intended service principal; since the black hats  
don't have the service key, it would fail, and the client should  
disconnect.  It's a denial of service, but not a transparent spoofing  
of the service.

> Do we have information on which clients support referrals ?

Current Microsoft and MIT clients do, I wouldn't be surprised if  
Heimdal does as well.

> And are they implemented in MIT KDC (and how) ?

Not yet.  A basic implementation (using the domain_realm mapping from  
the KDC's config files) is currently on my plate.

Ken



More information about the Kerberos mailing list