On what basis does host canonicalization happen?
1983-01-06@gmx.net
1983-01-06 at gmx.net
Tue Sep 4 04:05:34 EDT 2012
Hi folks,
I recently tried to answer to stackoverflow question regarding SPN/host canonicalization. While reading the GSS-API and Kerberos 5 RFCs I have found a contradiction which I do not fully understand.
RFC2713 says on page 85:
> When a reference to a name of this type is resolved, the "hostname"
> may (as an example implementation strategy) be canonicalized by
> attempting a DNS lookup and using the fully-qualified domain name
> which is returned, or by using the "hostname" as provided if the DNS
> lookup fails. The canonicalization operation also maps the host's name
> into lower-case characters.
So it is up to the mechanism to lookup the real FQDN. Same does RFC1964.
While RFC4120 says:
> Implementations of Kerberos and protocols based on Kerberos MUST NOT use
> insecure DNS queries to canonicalize the hostname components of the
> service principal names (i.e., they MUST NOT use insecure DNS queries to
> map one name to another to determine the host part of the principal name
> with which one is to communicate). In an environment without secure name
> service, application authors MAY append a statically configured domain
> name to unqualified hostnames before passing the name to the security
> mechanisms, but they should do no more than that. Secure name service
> facilities, if available, might be trusted for hostname
> canonicalization, but such canonicalization by the client SHOULD NOT be
> required by KDC implementations.
>
> Implementation note: Many current implementations do some degree of
> canonicalization of the provided service name, often using DNS even
> though it creates security problems. However, there is no consistency
> among implementations as to whether the service name is case folded to
> lowercase or whether reverse resolution is used. To maximize
> interoperability and security, applications SHOULD provide security
> mechanisms with names that result from folding the user- entered name to
> lowercase without performing any other modifications or canonicalization.
I have checked the source code of krb5_sname_to_principal in sn2princ.c and see that it does canonicalize the hostname with DNS.
So, how to interprete that? Kerberos should not lookup in DNS at anytime?
I use most of the time JGSS and it does canocalize the hostname. This is crucial if you have DNS round-robin.
Thanks,
Michael
More information about the Kerberos
mailing list