tickets with wrong DNS

[Nico Williams]

Making sure that the client's host-based principal name matches its IP
address is something best done asynchronously by scraping the logs.

Adding synchronous DNSSEC validation of this in the KDC (obviously the
KDC internally would do things asynchronously) would add to latency.
Probably not a big deal.  It would also require significant
restructuring of KDC implementations, for relatively little value.
Though to be frank, I do think it'd be good for KDCs to be so
structured anyways so that various slow operations could be added by
pre-auth and authz plugins of various types.

Nico
--