Wallet: a few questions on ACLs (and other animals)

Russ Allbery rra at stanford.edu
Thu Jun 14 18:30:38 EDT 2012

Mantas Mikulėnas <grawity at gmail.com> writes:
> On Fri, Jun 15, 2012 at 12:19 AM, Russ Allbery <rra at stanford.edu> wrote:

>> Not currently.  It's a little tricky to use a SRV record for this since
>> wallet doesn't have its own port (it just uses remctl), and normally
>> SRV records are tied to services with unique port assignments.  I could
>> just make up some TXT record convention, but I feel weird about that.

> Just like there are _kerberos._udp and _kerberos-master._udp sharing
> daemons and ports, I see no reason there couldn't be a _wallet._tcp
> SRV record.

Yeah, I suppose that's true.

>> There are also security issues with trusting DNS if you don't have
>> DNSSEC configured.

> How are they different from trusting DNS to correctly resolve a
> statically configured server?

remctl does mutual authentication with the server, so you know that you're
contacting the hostname that you think you're contacting.  But that
doesn't help if the attacker can change which hostname you contact.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list