Insisting on DNSSEC (was: tickets with wrong DNS)
Rick van Rein
rick at openfortress.nl
Mon Jun 9 02:36:02 EDT 2014
Hi,
> The KDC has no way of knowing if DNS is correct or wrong,
It could of course use a DNSSEC-aware resolver.
> nor would it
> trust the DNS
That is a setting with MIT krb5, and an admin could feel safe to enable it after setting up DNSSEC.
> even if it were able to ask a sensible question out of it.
I’ve been thinking along these lines, and would prefer to be able to install a secure name resolver on my KDC, and making it *require* DNSSEC. This could also help to trust remote, unknown zones. I wrote it down on
http://rickywiki.vanrein.org/doku.php?id=insisting-on-dnssec
It seems that I am the only one who sees a case for *insisting* on DNSSEC, or do others on this list agree there is a need?
Cheers,
-Rick
More information about the Kerberos
mailing list