Question about dns_lookup_realm and domain_realm
Russ Allbery
rra at stanford.edu
Mon Jun 30 01:25:45 EDT 2008
Danny Mayer <mayer at ntp.isc.org> writes:
> Jeffrey Altman wrote:
>> There are several issues here. First, DNS TXT records are known to be
>> insecure. Turning them on for use in realm resolution provides for
>> convenience but at the risk that your clients can be redirected to a
>> realm that you do not control.
> There is nothing insecure about DNS TXT records, any more than any other
> record in the DNS. I'm not sure where this idea came from.
Where this idea came from is that using DNS TXT records for domain-realm
mapping is potentially insecure in a way that using DNS records for SRV
mapping is not.
You can detect malicious SRV records because you share key material with
the KDC and can confirm that you're talking to the correct KDC. Malicious
TXT records are another matter, particularly if you have cross-realm trust
set up with realms that could be attacked. They allow compromise of a
realm with which you have cross-realm trust to be elevated into all sorts
of nasty attacks on Kerberos authentications that otherwise would be
entirely within your local realm.
The security issues aren't about the relative security of DNS; rather,
they're about how DNS TXT records for realm mapping are used and what
attacks that makes possible compared to SRV records.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list