Authenticating using lower case domain/realm

Ken Raeburn raeburn at MIT.EDU
Mon Mar 9 13:53:39 EDT 2009

On Mar 9, 2009, at 12:23, Santos wrote:
> BTW, dns_lookup_realm doesn't seen to work. It could help my case, if
> kerberos queried the NS for TXT records in which i could specify the  
> realm
> in upper case.
> I sniffed the DNS queries but no TXT queries. Any idea why?

The TXT records are used for mapping host names to realm names, and  
are only looked up if the domain_realm section of the config file  
doesn't list the host or domain name.  If you supply a realm name on  
the command line (or wherever), then TXT records won't be looked up at  

(In particular, we don't use TXT records to map the realm name to  
itself and figure out the capitalization, if that's what you were  
expecting.  It might be a heuristic to try, but it's certainly  
possible for there to be a host with a name matching a realm, and for  
that host to be in a different realm, or for there to be a wildcard  
record pointing to another realm....)


More information about the Kerberos mailing list