DNS lookups and krb4 Support

Steve Langasek vorlon at netexpress.net
Sat May 31 15:04:24 EDT 2003

On Sat, May 31, 2003 at 02:37:06PM -0400, Jeffrey Altman wrote:

> I have several ideas that might be applicable.  A DNS SRV record of

>  _kerberos._tcp.<domain>

> without an accompanying

>  _kerberos._udp.<domain>

> record could be interpreted to mean Kerberos 5 only.

> Another idea could involve the publication of a negative DNS SRV record:

>  _kerberos4._no.<domain>

> or

>  _no_kerberos4._udp.<domain> 

> We would need to have a discussion with the DNS community to see what is 
> best. 

> Whatever we do will always have the problem of the existing installed 
> base considering _kerberos._udp.<domain> to mean both Kerberos 4 and 
> Kerberos 5.  Therefore, anything we would want to do would require 
> deprecating _kerberos and replacing it with _kerberos4 and _kerberos5.  
> Unfortunately, this would do nothing to solve the problem for existing 
> clients.

Correct me if I'm wrong, but doesn't the krb4 kdc support still run on
port 750 rather than port 88?  That means there should be a separate, 
explicit _kerberos4._udp SRV entry for this.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030531/6d025b4a/attachment.bin

More information about the krbdev mailing list