Implementing IETF Draft on DNS use in Kerberos

Jeffrey Altman jaltman at
Tue Jul 16 15:17:01 EDT 2002

As described in the draft there are security considerations to be
aware of.  While there are no new attacks it does provide an avenue
for those attacks to be performed at an additional location.

Having a flag in krb5.conf is fine provided that if there is no
krb5.conf that the DNS SRV and DNS TXT lookups be used.  

> >  We are planning to implement the Internet draft
> > "draft-ietf-cat-krb-dns-locate-02.txt" in its entirety and for this
> > we might introduce a new parameter in the krb5.conf file indicating
> > the use of DNS to locate all the server locations.
> To me, the goal is not to need any krb5.conf info (or as little as
> possible) so I would not want to put a marker in krb5.conf to turn it
> on.  The presence of the RRs seems enough of a signal.  If you want
> to turn it off, maybe you could do that through krb5.conf.
> >  Has anybody implemented the draft or faced any problems in the use
> > of DNS to locate the server locations ??
> I did change the order of searching between [domain_realm] and DNS so
> that it goes like this:
>     /*
>         Check the [domain_realm] profile section as well as DNS, taking the
>         most specific information we can find.  DNS is only checked for the
>         full hostname and the first "beheading" of it.  The profile is only
>         checked for the full hostname and its suffixes beginning with '.'.
>         Example: Given a host a.b.c.d.e, try to match on:
>          1) A.B.C.D.E   from profile
>          2) A.B.C.D.E   from DNS
>          3) .B.C.D.E    from profile
>          4) B.C.D.E     from DNS
>          5) .C.D.E      from profile
>          6) .D.E        from profile
>          7) .E          from profile
>      */
> _______________________________________________
> krbdev mailing list             krbdev at

 Jeffrey Altman * Sr.Software Designer     Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP            Secured with MIT Kerberos, SRP, and 
 kermit-support at               OpenSSL.

More information about the krbdev mailing list