Kerberos behavior in the presence of multiple PTR records

Yury Sulsky yury.sulsky at
Thu Mar 14 19:08:01 EDT 2013

On Thu, Mar 14, 2013 at 4:02 PM, Greg Hudson <ghudson at> wrote:

> On 03/14/2013 11:25 AM, Yury Sulsky wrote
> The sname-to-principal code isn't performing a pass-or-fail check; it's
> trying to determine the canonical name of a host.  So if we considered
> multiple PTR records or did PTR lookups for multiple addresses, we would
> have to somehow decide which one to use.

I'm not sure I understand. The function [krb5_sname_to_principal] takes a
candidate hostname (or calls [gethostname] if that argument is NULL), and
performs a forward lookup using [getaddrinfo]. It then takes the canonical
name and IP address stored in the first addrinfo record and checks that
that DNS has a reverse mapping from that IP address to that canonical name,
otherwise it fails.

This check is performed using [getnameinfo], so only a single PTR record is
examined (probably the first one, though I guess that depends on the libc
implementation). Would it be incorrect (or somehow insecure) to search
through all PTR records for the canonical name rather than just the one
that's returned by [getnameinfo]?

More information about the Kerberos mailing list