Kerberos behavior in the presence of multiple PTR records

Nico Williams nico at
Thu Mar 14 16:20:04 EDT 2013

To my knowledge no RFC says that only one PTR RR may exist in any
given PTR RRSet.  In practice all implementations of getnameinfo(),
gethostbyaddr(), and the like, use only the first PTR RR in the PTR
RRSet for obvious semantic reasons: such code is looking for a
canonical name for an IP address, and more than one name means there's
no canonical name, thus either failure or "pick one" are the only

In any case, you should never want to use PTR RR lookups for principal
name canonicalization.  (Not unless you are using DNSSEC, which you're
almost certainly not.)


More information about the Kerberos mailing list