rdns, past and future
Simo Sorce
simo at redhat.com
Tue May 26 17:32:33 EDT 2020
On Tue, 2020-05-26 at 15:09 -0600, Ken Dreyer wrote:
> Hi folks,
>
> In public cloud environments or Kubernetes environments, PTR records
> are difficult or impossible for administrators to set. We increasingly
> have to tell users to set "rdns = fallback" or "rdns = false".
>
> I'm wondering what the original purpose of Kerberos' rdns feature was.
> Why would a client want or need to do hostname canonicalization?
>
> I'm also wondering if we will ever be able to default MIT Kerberos'
> rdns setting to "fallback" or "false" in a future version. IMHO this
> would make it easier to deploy Kerberos applications in modern hosting
> environments.
FWIW in RHEL and Fedora we set rdns = false by default since 2013, and
we are now also setting dns_canonicalize_hostname to fallback by
default.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
More information about the Kerberos
mailing list