RFC: Turning off reverse hostname resolution by default in 1.10

Greg Hudson ghudson at MIT.EDU
Wed Jul 6 14:31:44 EDT 2011


On Wed, 2011-07-06 at 14:01 -0400, Ken Hornstein wrote:
> I admit that these issues are not insurmountable.  But I am just answering
> the question that Greg asked.

Thanks, that's useful.  Do you have any Heimdal clients in your
environment, and do they cause problems with the hosts in question?  (My
understanding is that Heimdal never does reverse resolution.)

Of course, the answers I get here are mostly useful as proxies for what
level of disruption would occur for users who aren't on the list.
Anyone who's paying attention could simply turn rdns back on.

Jeff Altman wrote:
> Getting rid of the reverse dns lookups for canonical name resolution
> is the right thing to do and will finally bring MIT Kerberos into
> compliance with RFC 4120.

No; the forward resolution step also violates RFC 4120.

Nico wrote:
> I would also recommend finding a way to get rid of the forward
> resolution as well.

See:

http://k5wiki.kerberos.org/wiki/Projects/Trust_KDC-local_name_resolution

Not yet stated there is that when a client gets initial credentials, the
KDC would communicate somehow (say, through encrypted padata) that it
can do hostname resolution, and the client would store that information
in a config setting in the ccache and suppress hostname
canonicalization.





More information about the Kerberos mailing list