RFC: Turning off reverse hostname resolution by default in 1.10
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Jul 6 13:27:24 EDT 2011
When creating service principals from hostnames, MIT krb5 performs two
canonicalization steps by default:
1. Ask getaddrinfo() for the canonical name of the host, which
converts non-fully-qualified domain names to fully-qualified ones
and also resolves CNAME records in DNS.
2. Use getnameinfo() to reverse-canonicalize the address resulting
from the gaddrinfo call. Typically, this results in a PTR lookup in
DNS. This step can be suppressed by setting rdns = false in
libdefaults.
Neither of these steps is especially secure in most deployments. We
have long-term plans to address that. But, the second step in
particular also introduces a usability cost for new deployments
whenever there are mismatched PTR records.
We are considering turning off rdns by default in MIT krb5 1.10. In
the past we've shied away from changing the default because we've been
afraid of creating upgrade pain. But after consideration, we're not
sure there's likely to be much impact.
Does anyone on this list intentionally rely on PTR lookups for
Kerberos hostname canonicalization?
More information about the Kerberos
mailing list