rdns, past and future

Ken Dreyer ktdreyer at ktdreyer.com
Wed May 27 13:59:46 EDT 2020


On Tue, May 26, 2020 at 4:59 PM Jeffrey Altman
<jaltman at secure-endpoints.com> wrote:
>
> On 5/26/2020 6:31 PM, Ken Dreyer wrote:
> > On Tue, May 26, 2020 at 3:58 PM Jeffrey Altman
> > <jaltman at secure-endpoints.com> wrote:
> >>
> >>  2. Before the existence of DNS SRV records, CNAME records were the
> >>     only method of offering a service on multiple hosts.  However,
> >>     its a poor idea to share the same key across all of the hosts.
> >
> > I'm curious about this. What makes it a poor idea?
> >
> > It seems like a very convenient way to scale a service up and down
> > dynamically quickly when you share a key among all instances.
>
> Because if you hack into one of the hosts you now have the key for all
> of the hosts.  The holder of the key can forge tickets for any user.

This is true only if the administrator has enabled constrained
delegation for that key (eg. ok_to_auth_as_delegate) right? Is there
some other scenario I'm missing?

> Since the key isn't unique the entire distributed service has to be
> shutdown to address the vulnerability.

Ok, that makes sense. I was thinking of a homogeneous environment
where each app server runs the exact same versions of code, so an
attacker entry through a vulnerability on one system means that all
systems almost certainly have the same vulnerability.

> It is also much harder to trace where the key was stolen from.

Yeah, that's fair.

- Ken


More information about the Kerberos mailing list