Implementing IETF Draft on DNS use in Kerberos

[Sam Hartman]

Yes.  Note however a security problem exists when the DNS support is
used for determining something other than the local realm.


If I ssh to foo.bar.com, then I have the standard DNS spoofing attack
that I can change what principal I authenticate to by changing what
foo.bar.com canonicalizes to.

However for many realms this is of limited value because all of the
host keys in the realm are fairly trusted.

But if you can spoof DNS and cause someone to authenticate against
another realm that has a shared key, you have significantly greater
exposure.