On what basis does host canonicalization happen?

Booker Bense bbense at gmail.com
Wed Sep 5 14:59:07 EDT 2012


On Wed, Sep 5, 2012 at 8:50 AM, Michael-O <1983-01-06 at gmx.net> wrote:
> Am 2012-09-05 17:41, schrieb Booker Bense:
>
> Agreed but this does not solve understanding the contradiction in the RFCs.
> I can't tell whether DNSSEC is deployed in our company.

Unless your company is a .gov, it's unlikely that DNSSEC is sufficiently
deployed to be workable.

>
> Michael
>

You are misunderstanding the nature of RFC's. Think of RFC's as a
snapshot in time of the state of a
protocol. Experience and changing threat models will cause the kind of
changes you are seeing
as a "contradiction". The early RFC's document the only practical way
of getting a unique per host
service principal. Unfortunately, that method is not particularly
secure and there is no widely deployed
alternative. Later RFC's document this weakness, but don't offer any
alternatives.

RFC's are really just recommendations for implementers, they can and
are often ignored in the face of actually getting things done.

FWIW, I would say the recommendation against using DNS is one of those
things that's more honored in the breach
than actually used in practice. Every commercial implementation that I
know of has it turned on and they
all support the use of DNS SRV records to locate the KDC. It's one of
those compromises you have to
make between usability and security.

- Booker C. Bense


More information about the Kerberos mailing list