Using DNS for realm information
Sam Hartman
hartmans at MIT.EDU
Wed Jul 17 10:40:01 EDT 2002
>>>>> "Hari" == Hari Pulapaka <pulapaka.hari at sun.com> writes:
hartmans> Especially if we're going to move to cross-realm
hartmans> referals.
Hari> Is MIT thinking of using referrals for cross-realm
Hari> authentication in the future ?
The Kerberos working group of the IETF has reached a consensus that
cross-realm referals is the way to go. MIT is very committed to
following work in the IETF.
I don't think we've ever really thought cross-realm referals were a
bad idea; we did have significant concerns in the past about some of
the implementation details and surrounding technologies. Those
concerns have been addressed to the satisfaction of all parties I know
of.
Hari> If yes then what about the
Hari> use of use DNS for hostname/domain name to Kerberos realm
Hari> mapping, will that still be supported ??
Hopefully not, but as a matter of practical necessity there will
probably be people who need this functionality or who have migration
delays for some time to come. In an ideal world we'd be able to
quickly remove that support, but we live in a world where we must
consider customer needs.
Hari> Also can somebody give me a pointer, as to where I can find
Hari> some information regarding the types of attacks that are
Hari> possible using spoofed DNS records for cross-realm
Hari> authentication?? I am not very clear on this subject.
The draft describes these concerns.
More information about the krbdev
mailing list