Kerberos behavior in the presence of multiple PTR records

Greg Hudson ghudson at MIT.EDU
Thu Mar 14 16:02:46 EDT 2013

On 03/14/2013 11:25 AM, Yury Sulsky wrote:
> This may be just me misunderstanding PTR records, but it looks like the
> Kerberos library doesn't support multiple records when checking that a
> hostname maps to an ip address that maps back to the same hostname (I think
> this check only takes place if the "rdns" option is set).

The sname-to-principal code isn't performing a pass-or-fail check; it's
trying to determine the canonical name of a host.  So if we considered
multiple PTR records or did PTR lookups for multiple addresses, we would
have to somehow decide which one to use.

More information about the Kerberos mailing list