Implementing IETF Draft on DNS use in Kerberos
hartmans at MIT.EDU
Fri Jul 19 11:11:01 EDT 2002
Yes. Note however a security problem exists when the DNS support is
used for determining something other than the local realm.
If I ssh to foo.bar.com, then I have the standard DNS spoofing attack
that I can change what principal I authenticate to by changing what
foo.bar.com canonicalizes to.
However for many realms this is of limited value because all of the
host keys in the realm are fairly trusted.
But if you can spoof DNS and cause someone to authenticate against
another realm that has a shared key, you have significantly greater
More information about the krbdev