RFC: Turning off reverse hostname resolution by default in 1.10
Simo Sorce
simo at redhat.com
Wed Jul 6 14:22:50 EDT 2011
On Wed, 2011-07-06 at 14:01 -0400, Ken Hornstein wrote:
> >On Wed, 2011-07-06 at 13:41 -0400, Ken Hornstein wrote:
> >> >Does anyone on this list intentionally rely on PTR lookups for
> >> >Kerberos hostname canonicalization?
> >>
> >> "Yes".
> >>
> >> (I can go into detail if you really care).
> >
> >I am interested if you can explain.
>
> The answers:
>
> - Multihomed hosts (we want to connect to a particular interface, but
> we want to use one canonical name, because adding a new keytab for a
> new interface is more of a pain than simply changing the reverse DNS).
> This also comes into issue when you're doing cross-domain multihoming
> where the host is in another domain (and other Kerberos realm), and
> yes, we do that too (but thankfully not that often).
> - Hostname masquerading, where the host has a CNAME pointing to the
> "real" name, but for various reasons we want the name used by Kerberos
> to be the CNAME.
>
> I admit that these issues are not insurmountable. But I am just answering
> the question that Greg asked.
I would resolve all these issues by using aliases at the KDC level, but
thank you for explaining, it's valuable data on the way KDC/DNS are used
to keep track off.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list