Kerberos behavior in the presence of multiple PTR records

Tom Yu tlyu at MIT.EDU
Fri Mar 15 14:48:51 EDT 2013

Nico Williams <nico at> writes:

> On Fri, Mar 15, 2013 at 9:04 AM, Yury Sulsky <yury.sulsky at> wrote:

>> Right, thanks. I should have read more carefully. Still, wouldn't it make
>> sense to iterate through all PTR records and search for one that matches the
>> canonical name returned from the forward lookup? If a record like that does
>> exist, returning that one would allow the user to specify a host that has
>> other canonical names (and multiple PTR records).

> The code here isn't seeing the PTR records.  Instead MIT Kerberos is
> calling system library functions (getnameinfo(3)) that do that, and
> those functions, as I've explained, only look at one PTR RR.

Adapting the code to iterate over multiple PTR records would add
complexity and require calling out to a lower-level DNS resolver API.
In addition, any nsswitch-based hostname information that is not in
DNS would be ignored (unless getnameinfo() were also consulted).

I would prefer to not do this without a really good reason, especially
because we are trying to eventually eliminate the use of hostname
canonicalization for principal name construction in our

More information about the Kerberos mailing list