RFC: Turning off reverse hostname resolution by default in 1.10

ghudson@MIT.EDU ghudson at MIT.EDU
Wed Jul 6 13:27:24 EDT 2011


When creating service principals from hostnames, MIT krb5 performs two
canonicalization steps by default:

  1. Ask getaddrinfo() for the canonical name of the host, which
  converts non-fully-qualified domain names to fully-qualified ones
  and also resolves CNAME records in DNS.

  2. Use getnameinfo() to reverse-canonicalize the address resulting
  from the gaddrinfo call.  Typically, this results in a PTR lookup in
  DNS.  This step can be suppressed by setting rdns = false in
  libdefaults.

Neither of these steps is especially secure in most deployments.  We
have long-term plans to address that.  But, the second step in
particular also introduces a usability cost for new deployments
whenever there are mismatched PTR records.

We are considering turning off rdns by default in MIT krb5 1.10.  In
the past we've shied away from changing the default because we've been
afraid of creating upgrade pain.  But after consideration, we're not
sure there's likely to be much impact.

Does anyone on this list intentionally rely on PTR lookups for
Kerberos hostname canonicalization?



More information about the Kerberos mailing list