No mention of _kerberos TXT in RFCs / but we have DNSSEC now

Benjamin Kaduk kaduk at MIT.EDU
Thu Oct 16 23:04:13 EDT 2014


On Mon, 13 Oct 2014, Rick van Rein wrote:

> Hello,
>
> Most of us know about the practice of the _kerberos TXT records in DNS; this can help to translate a servername to a REALM name, which is especially helpful if we want to crossover to other realms.  This is coded into MIT krb5, and I bet many of our domains implement it.
>
> A grep on my RFC collection showed no RFC that defines the TXT discipline; even RFC 4120 does not, even though
> https://datatracker.ietf.org/doc/draft-ietf-krb-wg-krb-dns-locate/history/
> says it has “incorporated into RFC 4120” the draft that introduced the TXT records.

Looking at the timestamps on that page, it seems likely to be an action
mostly for the purposes of clearing up a datatracker dashboard, that is
mostly correct but did not strictly speaking apply to the complete
contents of the document (just part of it).

I'm insufficiently motivated to go look at the krb-wg archives from 2002
to see the discussion of why only the SRV records were incorporated and
not the TXT ones.

> The TXT records were always considered unreliable, but we’ve seen DNSSEC
> become a reality these days, so it might be up for another chance.  If
> I’m not mistaken?

That is probably true.  The wisdom of "just put everything in the DNS"
remains as unclear as it ever was, of course.

-Ben


More information about the Kerberos mailing list