RFC: Turning off reverse hostname resolution by default in 1.10
Simo Sorce
simo at redhat.com
Wed Jul 6 16:29:38 EDT 2011
On Wed, 2011-07-06 at 16:02 -0400, Jeffrey Altman wrote:
> On 7/6/2011 2:22 PM, Simo Sorce wrote:
> > I would resolve all these issues by using aliases at the KDC level, but
> > thank you for explaining, it's valuable data on the way KDC/DNS are used
> > to keep track off.
>
> The primary thing that the Kerberos development team needs to keep in
> mind every time a change is made is that Kerberos deployments are
> distributed and federated. In many of the environments there are many
> realms involved which are managed by different organizations. Upgrading
> clients and KDCs cannot be performed in lock step and there is no
> ability to coordinate which comes first the KDC / KDB update or the
> client deployments.
>
> Any transition plan to alter canonical name resolution processing must
> take that into account. It must be possible for a client machine to be
> updated in one organization or on one individual's machine and have it
> continue to work when the KDC/KDB for the realm that client communicates
> with is not updated to support KDC side aliasing.
>
> Just my two cents ...
Jeffrey, as far as I understand the proposal it to simply change the
default, I have seen no request to remove the rdns parameter, so if you
need reverse resolution at most you'll have to change rdns = true in
krb5.conf on clients.
It may be annoying to have to do that in a haste if you don't know in
advance and merrily upgrade to 1.10, that's why Greg asked on the list
before changing the default.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list