No subject
Tue Dec 13 04:47:59 EST 2011
The second mechanism, recently introduced into the MIT code base but not
currently used by default, works by looking up the information in
special TXT records in the Domain Name Service. If this
mechanism is enabled on the client, it will try to look up a TXT
record for the DNS name formed by putting the prefix _kerberos in
front of the hostname in question. If that record is not found, it will
try using _kerberos and the host's domain name, then its parent
domain, and so forth. So for the hostname
BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
_kerberos.boston.engineering.foobar.com
_kerberos.engineering.foobar.com
_kerberos.foobar.com
_kerberos.com
The value of the first TXT record found is taken as the realm name.
(Obviously, this doesn't work all that well if a host and a subdomain
have the same name, and different realms. For example, if all the hosts
in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM
realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in
another realm. In that case, you would set up TXT records for all
hosts, rather than relying on the fallback to the domain name.)
Even if you do not choose to use this mechanism within your site, you
may wish to set up anyways, for use when interacting with other sites.
-----Original Message-----
From: muselix at angelfire.com [mailto:muselix at angelfire.com]
Sent: Monday, August 19, 2002 2:44 PM
To: kerberos at mit.edu
Subject: Discover a Kerberos KDC
How does one discover a Kerberos KDC through DNS? Several people I
have spoken with say it is possible, but when I ask them _how_ to do
it they give me a blank look. All of the online resources I have
looked at are geared to administration rather than application
development, and as such are less than helpful.
________________________________________________
Kerberos mailing list Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list