Using DNS for realm information

Hari Pulapaka pulapaka.hari at
Tue Jul 16 18:54:19 EDT 2002


I have some questions regarding the use of DNS for realm lookups. 

	hartmans>Especially if we're going to move to cross-realm referals.

Is MIT thinking of using referrals for cross-realm authentication in the future ? If yes then what about the use of use DNS for hostname/domain name to Kerberos realm mapping, will that still be supported ??

Also can somebody give me a pointer, as to where I can find some information regarding the types of attacks that are possible using spoofed DNS records for cross-realm authentication?? I am not very clear on this subject. 



Sam Hartman wrote:
> >>>>> "Jeffrey" == Jeffrey Altman <jaltman at> writes:
>     Jeffrey> As described in the draft there are security
>     Jeffrey> considerations to be aware of.  While there are no new
>     Jeffrey> attacks it does provide an avenue for those attacks to be
>     Jeffrey> performed at an additional location.
>     Jeffrey> Having a flag in krb5.conf is fine provided that if there
>     Jeffrey> is no krb5.conf that the DNS SRV and DNS TXT lookups be
>     Jeffrey> used.
> I think a lot of us would argue that the right default is yes for SRV
> and no for txt.  Especially if we're going to move to cross-realm
> referals.

More information about the krbdev mailing list