Implementing IETF Draft on DNS use in Kerberos

Will Fiveash william.fiveash at
Thu Jul 18 14:13:00 EDT 2002

On Tue, Jul 16, 2002 at 03:56:01PM -0400, Jeffrey Altman wrote:
> > >>>>> "Jeffrey" == Jeffrey Altman <jaltman at> writes:
> > 
> >     Jeffrey> As described in the draft there are security
> >     Jeffrey> considerations to be aware of.  While there are no new
> >     Jeffrey> attacks it does provide an avenue for those attacks to be
> >     Jeffrey> performed at an additional location.
> > 
> >     Jeffrey> Having a flag in krb5.conf is fine provided that if there
> >     Jeffrey> is no krb5.conf that the DNS SRV and DNS TXT lookups be
> >     Jeffrey> used.
> > 
> > I think a lot of us would argue that the right default is yes for SRV
> > and no for txt.  Especially if we're going to move to cross-realm
> > referals.
> > 
> The primary reason for wanting DNS TXT lookups turned on for machines
> without krb5.conf files is that otherwise there is no method by which
> the machine can determine which realm it belongs to.

This issue has me confused.  The IETF wg and others feel that Kerberos
referrals should be used for realm lookups since DNS TXT realm lookups
are insecure but in the case of a client without a krb5.conf file
there doesn't seem to be a way (other than a DNS TXT realm lookup) for
the client to know it's realm and thus which KDC to contact in order
to do referrals.  

Would it be reasonably safe to restrict the client to looking up it's
local realm via DNS TXT since it would be contacting the local KDC and
the shared secret key would provide spoofing protection (cross-realm
lookups would be handled by referral once the local KDC is known)?

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list