determining rdns capability

Ken Dreyer ktdreyer at ktdreyer.com
Thu Nov 15 12:34:33 EST 2012


On Thu, Nov 15, 2012 at 10:18 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 11/15/2012 11:46 AM, Ken Dreyer wrote:
>> For msktutil, I recently received a patch to optionally set "rdns =
>> false".
> [...]
>> What is the best way to determine MIT's rdns capability?
>
> I don't believe there is one, because that knob was never envisioned as
> being application-controllable.

That's too bad. Is there any sort of version number I could check at
least, just to offer some sort of warning in the interface?

> I'm kind of curious how such a patch
> could even work, and I'd question whether it's a good idea for some
> applications to turn off rdns while others don't.

msktutil writes out a temporary krb5.conf file and then does the
kerberos operations with those settings. The msktutil feature
optionally writes "rdns = false" into the temporary krb5.conf file.

To give a bit of background on my own situation, in my environment at
work, the main intranet DNS servers are unable to reverse-resolve the
domain controllers. Possible workarounds we've considered:
- Add the PTRs on the name servers
- Use AD for DNS
- Add IP addresses in /etc/hosts

None of these options are optimal for technical or political reasons.
It's best to just diable rdns for this particular application.

> Whether "rdns = false" will work is complicated by the odd, probably
> buggy behavior of getaddrinfo in some (maybe all) versions of glibc.
> glibc does a PTR lookup for AI_CANONNAME if AI_ADDRCONFIG or
> hints.ai_family is also used.  We worked around this behavior in 1.10.2
> by changing how we call getaddrinfo().

Yes, a couple users on Ubuntu hit this bug too. At this point we're
just waiting for the patches to trickle down to the distros.

- Ken


More information about the Kerberos mailing list