DNS lookups and krb4 Support

Sam Hartman hartmans at MIT.EDU
Sat May 31 13:35:24 EDT 2003

When DNS support was added to MIT Kerberos the same srv record tag was
used to look up both krb5 and krb4 KDCs.  

Now, when we are discouraging new realms from deploying krb4 support,
we run into a problem.  We need to know whether a realm supports krb4
before sending krb4 requests to that KDC.  A krb5 KDC may (and our
code now defaults to this behavior) drop krb4 packets on the floor
without answering them at all.

So, attempting to engage in krb4 protocol transactions with a
krb5-only KDC may produce timeouts for the user.  We sometimes get
people complaining about log messages and other events as well.

According to Assar, Heimdal and Kerberos4-kth solve this problem by
using a different service tag for krb4 than the one used for krb5.

We could adopt that approach.  However, doing so would cause behavior
that has worked in previous versions of our code to suddenly stop
working.  In particular, people who have only published the krb5 DNS
records but who use krb4 would suddenly start failing.

I do not like this option, so I am hoping someone on this list can
come up with something better.  But it does seem like a strong
requirement that we be able to know before sending to a KDC whether
that KDC will support krb4 or not.

Another related question: if we do end up supporting multiple DNS
records, does the krb524 service belong to the krb5 KDC or the krb4
KDC?  I believe having a third record for krb524 may be the wrong

More information about the krbdev mailing list