Question about dns_lookup_realm and domain_realm
Simo Sorce
ssorce at redhat.com
Fri Jun 27 11:51:14 EDT 2008
On Fri, 2008-06-27 at 11:31 -0400, Jeffrey Altman wrote:
> Simo Sorce wrote:
> >> There are several issues here. First, DNS TXT records are known to be
> >> insecure.
> >
> > Jeff,
> > this statements is interesting, how are TXT records "insecure" ?
> I will refer you to the security considerations section of the internet
> draft. Note that
> the insecurity is one reason that the TXT record portion of the draft
> was not
> added to RFC 4120 as the DNS SRV records portion was.
>
> http://tools.ietf.org/html/draft-ietf-krb-wg-krb-dns-locate-03
Thanks, the explanation there makes a lot of sense, but reading through
the lines it probably would not affect the original poster security,
because the "insecurity" of the TXT record is exploitable only in case a
trusted realm is compromised (and the DNS spoofed at the same time).
But it is a very interesting consideration nonetheless.
> > How is local configuration data trustworthy given that to resolve names
> > to IPs we still rely on DNS ? Or do you also rely on /etc/hosts for most
> > of the data ?
> If the host name resolves to a different IP address, the authentication
> will fail.
Uhmm perhaps we are thinking of two different things, once you control
DNS you control both direct and reverse address resolution.
> >> The safe way to add DNS TXT records back into the equation would be to
> >> add the DNS TXT
> >> lookup after the referrals request fails.
> >
> > Do we have information on which clients support referrals ?
> > And are they implemented in MIT KDC (and how) ?
> >
> Heimdal, MIT, and Microsoft support referrals as implemented in Windows
> Active Directory.
> The IETF Kerberos working group is still working on an RFC for referrals.
>
> http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-10.txt
Thanks a lot,
lots of very useful info here.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list