Implementing IETF Draft on DNS use in Kerberos

Jeffrey Altman jaltman at
Tue Jul 16 15:57:00 EDT 2002

> >>>>> "Jeffrey" == Jeffrey Altman <jaltman at> writes:
>     Jeffrey> As described in the draft there are security
>     Jeffrey> considerations to be aware of.  While there are no new
>     Jeffrey> attacks it does provide an avenue for those attacks to be
>     Jeffrey> performed at an additional location.
>     Jeffrey> Having a flag in krb5.conf is fine provided that if there
>     Jeffrey> is no krb5.conf that the DNS SRV and DNS TXT lookups be
>     Jeffrey> used.
> I think a lot of us would argue that the right default is yes for SRV
> and no for txt.  Especially if we're going to move to cross-realm
> referals.

The primary reason for wanting DNS TXT lookups turned on for machines
without krb5.conf files is that otherwise there is no method by which
the machine can determine which realm it belongs to.

When a krb5.conf file exists, the defaults should be DNS SRV on, DNS
TXT off.

 Jeffrey Altman * Sr.Software Designer     Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP            Secured with MIT Kerberos, SRP, and 
 kermit-support at               OpenSSL.

More information about the krbdev mailing list