[krbdev.mit.edu #8037] rdns default
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Nov 12 15:02:02 EST 2014
This conversation would be better situated on the krbdev at mit.edu
list, but I will answer here.
We absolutely think the rdns=true behavior is dumb and recommend
turning it off. But we also try very hard to make upgrades as
painless as we can--especially on the client side, where they often
happen as part of OS upgrades without anyone explicitly consenting
and reading the release notes. When we have floated the idea of
changing the default, we got feedback that it would definitely affect
some environments in a negative way:
http://mailman.mit.edu/pipermail/kerberos/2011-July/017313.html
The concern isn't so much that those particular environments would be
adversely affected; anyone who is sufficiently informed could simply
turn it on explicitly. But we would undoubtedly surprise people who
run similar environments and aren't on the kerberos at mit.edu list.
We have a rough design, but not a timeline, for getting rid of both
forward and reverse canonicalization at the KDC's option:
http://mailman.mit.edu/pipermail/kerberos/2011-July/017313.html
More information about the krb5-bugs
mailing list