RFC: Turning off reverse hostname resolution by default in 1.10
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Jul 6 14:01:11 EDT 2011
>On Wed, 2011-07-06 at 13:41 -0400, Ken Hornstein wrote:
>> >Does anyone on this list intentionally rely on PTR lookups for
>> >Kerberos hostname canonicalization?
>>
>> "Yes".
>>
>> (I can go into detail if you really care).
>
>I am interested if you can explain.
The answers:
- Multihomed hosts (we want to connect to a particular interface, but
we want to use one canonical name, because adding a new keytab for a
new interface is more of a pain than simply changing the reverse DNS).
This also comes into issue when you're doing cross-domain multihoming
where the host is in another domain (and other Kerberos realm), and
yes, we do that too (but thankfully not that often).
- Hostname masquerading, where the host has a CNAME pointing to the
"real" name, but for various reasons we want the name used by Kerberos
to be the CNAME.
I admit that these issues are not insurmountable. But I am just answering
the question that Greg asked.
--Ken
More information about the Kerberos
mailing list