RFC: Turning off reverse hostname resolution by default in 1.10

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Jul 6 14:01:11 EDT 2011


>On Wed, 2011-07-06 at 13:41 -0400, Ken Hornstein wrote:
>> >Does anyone on this list intentionally rely on PTR lookups for
>> >Kerberos hostname canonicalization?
>> 
>> "Yes".
>> 
>> (I can go into detail if you really care).
>
>I am interested if you can explain.

The answers:

- Multihomed hosts (we want to connect to a particular interface, but
  we want to use one canonical name, because adding a new keytab for a
  new interface is more of a pain than simply changing the reverse DNS).
  This also comes into issue when you're doing cross-domain multihoming
  where the host is in another domain (and other Kerberos realm), and
  yes, we do that too (but thankfully not that often).
- Hostname masquerading, where the host has a CNAME pointing to the
  "real" name, but for various reasons we want the name used by Kerberos
  to be the CNAME.

I admit that these issues are not insurmountable.  But I am just answering
the question that Greg asked.

--Ken



More information about the Kerberos mailing list