Query - How to determine the KDC
Rick van Rein
rick at openfortress.nl
Fri Jan 31 10:34:04 EST 2014
Hello,
>> Hope this isn't a silly question. Is there a command/tool that tells us
>> which is the KDC for a particular realm ?
Silly me, I only gave half an answer.
Once you have established that the realm of a DNS zone is the right one, you can rely on the KDC mentioned in SRV records with subnames _kerberos._udp and/or _kerberos._tcp — this has less requirement for DNSSEC because the KDC is less susceptible to MITM attacks, but that is only valid if you can have 100% reliance on your users to work with 128-bit (or better) entropy in their passwords...
-Rick
More information about the Kerberos
mailing list