Using DNS for realm information
Hari Pulapaka
pulapaka.hari at sun.com
Tue Jul 16 18:54:19 EDT 2002
Hi,
I have some questions regarding the use of DNS for realm lookups.
hartmans>Especially if we're going to move to cross-realm referals.
Is MIT thinking of using referrals for cross-realm authentication in the future ? If yes then what about the use of use DNS for hostname/domain name to Kerberos realm mapping, will that still be supported ??
Also can somebody give me a pointer, as to where I can find some information regarding the types of attacks that are possible using spoofed DNS records for cross-realm authentication?? I am not very clear on this subject.
Thanks,
Hari.
Sam Hartman wrote:
>
> >>>>> "Jeffrey" == Jeffrey Altman <jaltman at columbia.edu> writes:
>
> Jeffrey> As described in the draft there are security
> Jeffrey> considerations to be aware of. While there are no new
> Jeffrey> attacks it does provide an avenue for those attacks to be
> Jeffrey> performed at an additional location.
>
> Jeffrey> Having a flag in krb5.conf is fine provided that if there
> Jeffrey> is no krb5.conf that the DNS SRV and DNS TXT lookups be
> Jeffrey> used.
>
> I think a lot of us would argue that the right default is yes for SRV
> and no for txt. Especially if we're going to move to cross-realm
> referals.
More information about the krbdev
mailing list