On what basis does host canonicalization happen?

1983-01-06@gmx.net 1983-01-06 at gmx.net
Tue Sep 4 04:05:34 EDT 2012


Hi folks,

I recently tried to answer to stackoverflow question regarding SPN/host canonicalization. While reading the GSS-API and Kerberos 5 RFCs I have found a contradiction which I do not fully understand.

RFC2713 says on page 85:
> When a reference to a name of this type is resolved, the "hostname"
> may (as an example implementation strategy) be canonicalized by
> attempting a DNS lookup and using the fully-qualified domain name 
> which is returned, or by using the "hostname" as provided if the DNS
> lookup fails. The canonicalization operation also maps the host's name 
> into lower-case characters.

So it is up to the mechanism to lookup the real FQDN. Same does RFC1964.

While RFC4120 says:
> Implementations of Kerberos and protocols based on Kerberos MUST NOT use
> insecure DNS queries to canonicalize the hostname components of the 
> service principal names (i.e., they MUST NOT use insecure DNS queries to 
> map one name to another to determine the host part of the principal name 
> with which one is to communicate). In an environment without secure name 
> service, application authors MAY append a statically configured domain 
> name to unqualified hostnames before passing the name to the security 
> mechanisms, but they should do no more than that. Secure name service 
> facilities, if available, might be trusted for hostname 
> canonicalization, but such canonicalization by the client SHOULD NOT be 
> required by KDC implementations.
>
> Implementation note: Many current implementations do some degree of 
> canonicalization of the provided service name, often using DNS even 
> though it creates security problems. However, there is no consistency 
> among implementations as to whether the service name is case folded to 
> lowercase or whether reverse resolution is used. To maximize 
> interoperability and security, applications SHOULD provide security 
> mechanisms with names that result from folding the user- entered name to
> lowercase without performing any other modifications or canonicalization.

I have checked the source code of krb5_sname_to_principal in sn2princ.c and see that it does canonicalize the hostname with DNS.

So, how to interprete that? Kerberos should not lookup in DNS at anytime?
I use most of the time JGSS and it does canocalize the hostname. This is crucial if you have DNS round-robin.

Thanks,

Michael


More information about the Kerberos mailing list