rdns, past and future

Simo Sorce simo at redhat.com
Tue May 26 17:32:33 EDT 2020


On Tue, 2020-05-26 at 15:09 -0600, Ken Dreyer wrote:
> Hi folks,
> 
> In public cloud environments or Kubernetes environments, PTR records
> are difficult or impossible for administrators to set. We increasingly
> have to tell users to set "rdns = fallback" or "rdns = false".
> 
> I'm wondering what the original purpose of Kerberos' rdns feature was.
> Why would a client want or need to do hostname canonicalization?
> 
> I'm also wondering if we will ever be able to default MIT Kerberos'
> rdns setting to "fallback" or "false" in a future version. IMHO this
> would make it easier to deploy Kerberos applications in modern hosting
> environments.

FWIW in RHEL and Fedora we set rdns = false by default since 2013, and
we are now also setting dns_canonicalize_hostname to fallback by
default.

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc






More information about the Kerberos mailing list