Implementing IETF Draft on DNS use in Kerberos

[Sam Hartman]

>>>>> "Jeffrey" == Jeffrey Altman <jaltman at columbia.edu> writes:

    Jeffrey> As described in the draft there are security
    Jeffrey> considerations to be aware of.  While there are no new
    Jeffrey> attacks it does provide an avenue for those attacks to be
    Jeffrey> performed at an additional location.

    Jeffrey> Having a flag in krb5.conf is fine provided that if there
    Jeffrey> is no krb5.conf that the DNS SRV and DNS TXT lookups be
    Jeffrey> used.

I think a lot of us would argue that the right default is yes for SRV
and no for txt.  Especially if we're going to move to cross-realm
referals.