Kerberos behavior in the presence of multiple PTR records
Tom Yu
tlyu at MIT.EDU
Fri Mar 15 14:48:51 EDT 2013
Nico Williams <nico at cryptonector.com> writes:
> On Fri, Mar 15, 2013 at 9:04 AM, Yury Sulsky <yury.sulsky at gmail.com> wrote:
>> Right, thanks. I should have read more carefully. Still, wouldn't it make
>> sense to iterate through all PTR records and search for one that matches the
>> canonical name returned from the forward lookup? If a record like that does
>> exist, returning that one would allow the user to specify a host that has
>> other canonical names (and multiple PTR records).
> The code here isn't seeing the PTR records. Instead MIT Kerberos is
> calling system library functions (getnameinfo(3)) that do that, and
> those functions, as I've explained, only look at one PTR RR.
Adapting the code to iterate over multiple PTR records would add
complexity and require calling out to a lower-level DNS resolver API.
In addition, any nsswitch-based hostname information that is not in
DNS would be ignored (unless getnameinfo() were also consulted).
I would prefer to not do this without a really good reason, especially
because we are trying to eventually eliminate the use of hostname
canonicalization for principal name construction in our
implementation.
More information about the Kerberos
mailing list