Using DNS for realm information

Sam Hartman hartmans at MIT.EDU
Wed Jul 17 10:40:01 EDT 2002

>>>>> "Hari" == Hari Pulapaka <pulapaka.hari at> writes:

    hartmans> Especially if we're going to move to cross-realm
    hartmans> referals.

    Hari> Is MIT thinking of using referrals for cross-realm
    Hari> authentication in the future ? 

The Kerberos working group of the IETF has reached a consensus that
cross-realm referals is the way to go.  MIT is very committed to
following work in the IETF.

I don't think we've ever really thought cross-realm referals were a
bad idea; we did have significant concerns in the past about some of
the implementation details and surrounding technologies.  Those
concerns have been addressed to the satisfaction of all parties I know
    Hari> If yes then what about the
    Hari> use of use DNS for hostname/domain name to Kerberos realm
    Hari> mapping, will that still be supported ??

Hopefully not, but as a matter of practical necessity there will
probably be people who need this functionality or who have migration
delays for some time to come.  In an ideal world we'd be able to
quickly remove that support, but we live in a world where we must
consider customer needs.

    Hari> Also can somebody give me a pointer, as to where I can find
    Hari> some information regarding the types of attacks that are
    Hari> possible using spoofed DNS records for cross-realm
    Hari> authentication?? I am not very clear on this subject.

The draft describes these concerns.

More information about the krbdev mailing list