On what basis does host canonicalization happen?

Tom Yu tlyu at MIT.EDU
Wed Sep 5 12:14:04 EDT 2012


Michael-O <1983-01-06 at gmx.net> writes:

> Am 2012-09-05 17:41, schrieb Booker Bense:
>> On Wed, Sep 5, 2012 at 7:33 AM, Michael-O <1983-01-06 at gmx.net> wrote:
>>
>>> For now, I do not see an alternative to a forward and reverse lookup at
>>> them moment. Well, isn't Kerberos used in managed environments only
>>> where only a few have control over DNS entries? In my case I am in an
>>> huge company with thousands of KDC (Active Directory, namely).

Even in a managed environment with tightly controlled forward DNS
records, the reverse DNS might not be under the control of the
enterprise administrators.  Some enterprises have net blocks that
belong to their ISP, and are therefore subject to the ISP's ability
and willingness to keep the reverse DNS for that net block up-to-date.
(CIDR PTR zone delegation is one possibility, but sometimes difficult
to get right, and ISPs might be less willing to set it up.)

>>> Are the aforementioned quotes a contradiction or simply a not solvable
>>> problem at the moment?
>>
>> I would say "simply not a solvable problem with current protocols". In
>> theory DNSSEC is the way out,
>> once it is widely deployed.
>>
>> Kerberos depends on all sides of the protocol knowing the principal names in an
>> a priori way that is outside the protocol. ( i.e. if you want to talk
>> to a server, you have
>> to know the principal to use before you can even begin the
>> conversation and there is
>> no way currently in the protocol to discover this. )
>>
>> So either the KDC re-implements DNSSEC or DNSSEC is widely and
>> securely deployed.
>> Kerberos ( and all security protocols ) are ways to extend trust, not
>> create it and they all require
>> that you start with some data that you just assert is trustworthy.

The KDC can function as a secure name service, effectively
re-implementing parts of DNSSEC, or can leverage an existing DNSSEC
deployment for which clients are unlikely have correct configuration.
See
http://k5wiki.kerberos.org/wiki/Projects/Trust_KDC-local_name_resolution
for one possibility.

One additional element that might be necessary for this to work is for
the KDC to securely indicate to the client when it has this
capability.

> Agreed but this does not solve understanding the contradiction in the 
> RFCs. I can't tell whether DNSSEC is deployed in our company.

The text in RFC 1964 and RFC 2743 about canonicalization of hostnames
no longer reflects the general consensus about using insecure name
services for doing that canonicalization.


More information about the Kerberos mailing list