host name resolution, again (krb5-1.3-alpha1 is available)

Donn Cave donn at
Mon Mar 17 13:37:30 EST 2003

Quoth Sam Hartman <hartmans at>:
| In my opinion the correct way to do clustering is the return a CNAME
| to the cluster address not an A record.  I believe this can be made to
| work.

Will this really satisfy everyone, though?  I mean, assuming that the
virtue of this approach is that h_name comes back as the actual
host name pointed to by the CNAME.

For more insight into the posture here, I looked for IETF drafts and
found this from Neuman et al. --

I'll append the whole section that bears on this.  My interpretion
is that you're not allowed to use h_name in this way - at least,
if you're using it to domain-extend the name, you'd have to compare
the result to verify that you did _not_ get an alias lookup.

I'm assuming DNS service that does not meet Neuman et al.'s standard
for "secure", as I think any application would have to assume that.

	Donn Cave, University Computing Services, University of Washington
	donn at
 1.2. Choosing a principal with which to communicate 

    The Kerberos protocol provides the means for verifying (subject to 
    the assumptions in 1.5) that the entity with which one communicates 
    is the same entity that was registered with the KDC using the claimed 
    identity (principal name). It is still necessary to determine whether 
    that identity corresponds to the entity with which one intends to 

    When appropriate data has been exchanged in advance, this 
    determination may be performed syntactically by the application based 
    on the application protocol specification, information provided by 
    the user, and configuration files. For example, the server principal 
    name (including realm) for a telnet server might be derived from the 
    user specified host name (from the telnet command line), the "host/" 
    prefix specified in the application protocol specification, and a 
    mapping to a Kerberos realm derived syntactically from the domain 
    part of the specified hostname and information from the local 
    Kerberos realms database. 

    One can also rely on trusted third parties to make this 
    determination, but only when the data obtained from the third party 
    is suitably integrity protected while resident on the third party 
    server and when transmitted.  Thus, for example, one should not rely 
    on an unprotected domain name system record to map a host alias to 
    the primary name of a server, accepting the primary name as the party 
    one intends to contact, since an attacker can modify the mapping and 
    impersonate the party with which one intended to communicate. 

    Implementations of Kerberos and protocols based on Kerberos MUST NOT 
    use insecure DNS queries to canonicalize the hostname components of 
    the service principal names.  In an environment without secure name 
    service, application authors MAY append a statically configured 
    domain name to unqualified hostnames before passing the name to the 
    security mechanisms, but should do no more than that.  Secure name 
    service facilities, if available, might be trusted for hostname 
    canonicalization, but such canonicalization by the client SHOULD NOT 
    be required by an KDC implementation. 

    Implementation note: Many current implementations do some degree of 
    canonicalization of the provided service name, often using DNS even 
    though it creates security problems. However there is no consistency 
    among implementations about whether the service name is case folded 
    to lower case or whether reverse resolution is used. To maximize 
    interoperability and security, applications SHOULD provide security 
    mechanisms with names which result from folding the user-entered name 
    to lower case, without performing any other modifications or 

More information about the krbdev mailing list