Implementing IETF Draft on DNS use in Kerberos

Sam Hartman hartmans at MIT.EDU
Fri Jul 19 11:11:01 EDT 2002

Yes.  Note however a security problem exists when the DNS support is
used for determining something other than the local realm.

If I ssh to, then I have the standard DNS spoofing attack
that I can change what principal I authenticate to by changing what canonicalizes to.

However for many realms this is of limited value because all of the
host keys in the realm are fairly trusted.

But if you can spoof DNS and cause someone to authenticate against
another realm that has a shared key, you have significantly greater

More information about the krbdev mailing list