Insisting on DNSSEC (was: tickets with wrong DNS)

Simo Sorce simo at redhat.com
Mon Jun 9 08:59:17 EDT 2014



----- Original Message -----
> Hi,
> 
> > The KDC has no way of knowing if DNS is correct or wrong,
> 
> It could of course use a DNSSEC-aware resolver.
> 
> > nor would it
> > trust the DNS
> 
> That is a setting with MIT krb5, and an admin could feel safe to enable it
> after setting up DNSSEC.
> 
> > even if it were able to ask a sensible question out of it.
> 
> I’ve been thinking along these lines, and would prefer to be able to install
> a secure name resolver on my KDC, and making it *require* DNSSEC.  This
> could also help to trust remote, unknown zones.  I wrote it down on
> 
> http://rickywiki.vanrein.org/doku.php?id=insisting-on-dnssec
> 
> It seems that I am the only one who sees a case for *insisting* on DNSSEC, or
> do others on this list agree there is a need?

DNSSEC is an awesome idea for clients, but has really nothing to do with checking if AS requests should succeed or not.
When it comes to AS requests, from the KDC POV all that really matters is whether you have a valid key or not.

DNSSEC might be used to perform canonicalization on the KDC side, so it may be relevant to resolve a TGS request if the principal is not found as transmitted by the client and the client requests canonicalization, but that's a different story, and once again does not really involve the actual IP addresses any of the resolved address points to.

HTH,
Simo.



More information about the Kerberos mailing list