Implementing IETF Draft on DNS use in Kerberos

Matt Crawford crawdad at
Tue Jul 16 15:13:12 EDT 2002

>  We are planning to implement the Internet draft
> "draft-ietf-cat-krb-dns-locate-02.txt" in its entirety and for this
> we might introduce a new parameter in the krb5.conf file indicating
> the use of DNS to locate all the server locations.

To me, the goal is not to need any krb5.conf info (or as little as
possible) so I would not want to put a marker in krb5.conf to turn it
on.  The presence of the RRs seems enough of a signal.  If you want
to turn it off, maybe you could do that through krb5.conf.

>  Has anybody implemented the draft or faced any problems in the use
> of DNS to locate the server locations ??

I did change the order of searching between [domain_realm] and DNS so
that it goes like this:

        Check the [domain_realm] profile section as well as DNS, taking the
        most specific information we can find.  DNS is only checked for the
        full hostname and the first "beheading" of it.  The profile is only
        checked for the full hostname and its suffixes beginning with '.'.
        Example: Given a host a.b.c.d.e, try to match on:
         1) A.B.C.D.E   from profile
         2) A.B.C.D.E   from DNS
         3) .B.C.D.E    from profile
         4) B.C.D.E     from DNS
         5) .C.D.E      from profile
         6) .D.E        from profile
         7) .E          from profile

More information about the krbdev mailing list