DNS lookups and krb4 Support

Steve Langasek vorlon at netexpress.net
Sat May 31 14:55:11 EDT 2003

On Sat, May 31, 2003 at 01:35:24PM -0400, Sam Hartman wrote:

> When DNS support was added to MIT Kerberos the same srv record tag was
> used to look up both krb5 and krb4 KDCs.  

> Now, when we are discouraging new realms from deploying krb4 support,
> we run into a problem.  We need to know whether a realm supports krb4
> before sending krb4 requests to that KDC.  A krb5 KDC may (and our
> code now defaults to this behavior) drop krb4 packets on the floor
> without answering them at all.

> So, attempting to engage in krb4 protocol transactions with a
> krb5-only KDC may produce timeouts for the user.  We sometimes get
> people complaining about log messages and other events as well.

> According to Assar, Heimdal and Kerberos4-kth solve this problem by
> using a different service tag for krb4 than the one used for krb5.

> We could adopt that approach.  However, doing so would cause behavior
> that has worked in previous versions of our code to suddenly stop
> working.  In particular, people who have only published the krb5 DNS
> records but who use krb4 would suddenly start failing.

> I do not like this option, so I am hoping someone on this list can
> come up with something better.  But it does seem like a strong
> requirement that we be able to know before sending to a KDC whether
> that KDC will support krb4 or not.

Are you talking about service records such as this one?:

_kerberos._udp          IN      SRV     0 0 88 kerberos-1

Given that service records encode the port number in the RR, I can only
conclude that any software that would look at this record and assume
it can send krb4 requests to the machine named kerberos-1 on port 750
is buggy.  Fixing such a bug would break backwards compatibility, true;
but that doesn't make it less of a bug.

> Another related question: if we do end up supporting multiple DNS
> records, does the krb524 service belong to the krb5 KDC or the krb4
> KDC?  I believe having a third record for krb524 may be the wrong
> approach.

Same as above.  Service records are per-*service*, and krb524 is a
separate service (with a separate TCP/IP endpoint) from either the krb5
KDC or the krb4 KDC.  If you guess based on SRV records for other
services, no matter what heuristic you use you'll always run into users
who have their networks configured differently.  The fact that you're
asking which record to associate krb524 with is ample evidence of this.

If the client has been otherwise configured to want krb4 tickets, the
kdc lookup is being done in DNS, and there is no DNS entry for krb524d,
I think it's reasonable to try connecting to the krb5 KDC for this; but
a separate record would be preferable, IMHO.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030531/066e2741/attachment.bin

More information about the krbdev mailing list