Insisting on DNSSEC (was: tickets with wrong DNS)

Rick van Rein rick at openfortress.nl
Mon Jun 9 02:36:02 EDT 2014


Hi,

> The KDC has no way of knowing if DNS is correct or wrong,

It could of course use a DNSSEC-aware resolver.

> nor would it
> trust the DNS

That is a setting with MIT krb5, and an admin could feel safe to enable it after setting up DNSSEC.

> even if it were able to ask a sensible question out of it.

I’ve been thinking along these lines, and would prefer to be able to install a secure name resolver on my KDC, and making it *require* DNSSEC.  This could also help to trust remote, unknown zones.  I wrote it down on

http://rickywiki.vanrein.org/doku.php?id=insisting-on-dnssec

It seems that I am the only one who sees a case for *insisting* on DNSSEC, or do others on this list agree there is a need?

Cheers,
 -Rick


More information about the Kerberos mailing list