On what basis does host canonicalization happen?
Michael-O
1983-01-06 at gmx.net
Wed Sep 5 11:50:06 EDT 2012
Am 2012-09-05 17:41, schrieb Booker Bense:
> On Wed, Sep 5, 2012 at 7:33 AM, Michael-O <1983-01-06 at gmx.net> wrote:
>
>> For now, I do not see an alternative to a forward and reverse lookup at
>> them moment. Well, isn't Kerberos used in managed environments only
>> where only a few have control over DNS entries? In my case I am in an
>> huge company with thousands of KDC (Active Directory, namely).
>>
>> Are the aforementioned quotes a contradiction or simply a not solvable
>> problem at the moment?
>
> I would say "simply not a solvable problem with current protocols". In
> theory DNSSEC is the way out,
> once it is widely deployed.
>
> Kerberos depends on all sides of the protocol knowing the principal names in an
> a priori way that is outside the protocol. ( i.e. if you want to talk
> to a server, you have
> to know the principal to use before you can even begin the
> conversation and there is
> no way currently in the protocol to discover this. )
>
> So either the KDC re-implements DNSSEC or DNSSEC is widely and
> securely deployed.
> Kerberos ( and all security protocols ) are ways to extend trust, not
> create it and they all require
> that you start with some data that you just assert is trustworthy.
Agreed but this does not solve understanding the contradiction in the
RFCs. I can't tell whether DNSSEC is deployed in our company.
Michael
More information about the Kerberos
mailing list