DNS lookups and krb4 Support

Ken Raeburn raeburn at MIT.EDU
Sun Jun 1 04:26:33 EDT 2003

An interesting tidbit about the SRV RR specification that people may
not be aware of is that it includes a means of indicating that a
service is not provided; you simply provide exactly one RR, with a
target of ".".

(I don't think we explicitly implement it in our code, but I suspect
the address lookup will simply result in zero addresses, causing an
adequate error message to be produced.)

So, a krb5 realm that provides no krb4-related services could choose
to indicate that with:

   _krb524._udp.example.com.     SRV   0 0 0 .
   _kerberos4._udp.example.com.  SRV   0 0 0 .

or something like that.

The absence of any records at all is a lack of information.  In that
situation, it may be reasonable to try heuristics like looking up the
krb5 service and munging the port numbers (or not), or trying the
hostname "kerberos.$REALM" -- but we should never document those as a
recommended approach to administration.

We would just need to make sure that, if the _kerberos4 record exists
and lists ".", we don't go on to use the _kerberos information.

I think it might be useful to tweak the config file handling code,
too, so that we have a way of indicating that the service isn't
available, and fallback heuristics should not be used.


More information about the krbdev mailing list