Implementing IETF Draft on DNS use in Kerberos
Jeffrey Altman
jaltman at columbia.edu
Tue Jul 16 15:57:00 EDT 2002
> >>>>> "Jeffrey" == Jeffrey Altman <jaltman at columbia.edu> writes:
>
> Jeffrey> As described in the draft there are security
> Jeffrey> considerations to be aware of. While there are no new
> Jeffrey> attacks it does provide an avenue for those attacks to be
> Jeffrey> performed at an additional location.
>
> Jeffrey> Having a flag in krb5.conf is fine provided that if there
> Jeffrey> is no krb5.conf that the DNS SRV and DNS TXT lookups be
> Jeffrey> used.
>
> I think a lot of us would argue that the right default is yes for SRV
> and no for txt. Especially if we're going to move to cross-realm
> referals.
>
The primary reason for wanting DNS TXT lookups turned on for machines
without krb5.conf files is that otherwise there is no method by which
the machine can determine which realm it belongs to.
When a krb5.conf file exists, the defaults should be DNS SRV on, DNS
TXT off.
Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!!
The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP
http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and
kermit-support at columbia.edu OpenSSL.
More information about the krbdev
mailing list