On what basis does host canonicalization happen?

Booker Bense bbense at gmail.com
Wed Sep 5 11:41:36 EDT 2012


On Wed, Sep 5, 2012 at 7:33 AM, Michael-O <1983-01-06 at gmx.net> wrote:

> For now, I do not see an alternative to a forward and reverse lookup at
> them moment. Well, isn't Kerberos used in managed environments only
> where only a few have control over DNS entries? In my case I am in an
> huge company with thousands of KDC (Active Directory, namely).
>
> Are the aforementioned quotes a contradiction or simply a not solvable
> problem at the moment?

I would say "simply not a solvable problem with current protocols". In
theory DNSSEC is the way out,
once it is widely deployed.

Kerberos depends on all sides of the protocol knowing the principal names in an
a priori way that is outside the protocol. ( i.e. if you want to talk
to a server, you have
to know the principal to use before you can even begin the
conversation and there is
no way currently in the protocol to discover this. )

So either the KDC re-implements DNSSEC or DNSSEC is widely and
securely deployed.
Kerberos ( and all security protocols ) are ways to extend trust, not
create it and they all require
that you start with some data that you just assert is trustworthy.

- Booker C. Bense


More information about the Kerberos mailing list