Kerberos behavior in the presence of multiple PTR records
Greg Hudson
ghudson at MIT.EDU
Thu Mar 14 16:02:46 EDT 2013
On 03/14/2013 11:25 AM, Yury Sulsky wrote:
> This may be just me misunderstanding PTR records, but it looks like the
> Kerberos library doesn't support multiple records when checking that a
> hostname maps to an ip address that maps back to the same hostname (I think
> this check only takes place if the "rdns" option is set).
The sname-to-principal code isn't performing a pass-or-fail check; it's
trying to determine the canonical name of a host. So if we considered
multiple PTR records or did PTR lookups for multiple addresses, we would
have to somehow decide which one to use.
More information about the Kerberos
mailing list