Implementing IETF Draft on DNS use in Kerberos

Will Fiveash william.fiveash at
Thu Jul 18 14:38:00 EDT 2002

On Thu, Jul 18, 2002 at 02:18:18PM -0400, Jeffrey Altman wrote:
> > 
> > This issue has me confused.  The IETF wg and others feel that Kerberos
> > referrals should be used for realm lookups since DNS TXT realm lookups
> > are insecure but in the case of a client without a krb5.conf file
> > there doesn't seem to be a way (other than a DNS TXT realm lookup) for
> > the client to know it's realm and thus which KDC to contact in order
> > to do referrals.  
> > 
> > Would it be reasonably safe to restrict the client to looking up it's
> > local realm via DNS TXT since it would be contacting the local KDC and
> > the shared secret key would provide spoofing protection (cross-realm
> > lookups would be handled by referral once the local KDC is known)?
> > 
> It would be safe provided that upon receiving the local Realm info and
> using it to retrieve a TGT, that the TGT be used to retrieve a service
> ticket to verify against the local machine.  Of course, this can't be
> done unless the local machine was configured to be part of the local
> realm; AND as such had a service key installed on it.

I thought that the receipt of a valid TGT was proof for the client
that it was dealing with a trusted KDC and thus the local realm lookup
was valid.  If this is true, then it doesn't seem necessary to get a
service ticket in order to validate the local realm lookup.  (I should
point out that by client I mean client principal with an entry in the
KDC's princ db.)

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list