DNS lookups and krb4 Support
Steve Langasek
vorlon at netexpress.net
Sat May 31 15:04:24 EDT 2003
On Sat, May 31, 2003 at 02:37:06PM -0400, Jeffrey Altman wrote:
> I have several ideas that might be applicable. A DNS SRV record of
> _kerberos._tcp.<domain>
> without an accompanying
> _kerberos._udp.<domain>
> record could be interpreted to mean Kerberos 5 only.
> Another idea could involve the publication of a negative DNS SRV record:
> _kerberos4._no.<domain>
> or
> _no_kerberos4._udp.<domain>
> We would need to have a discussion with the DNS community to see what is
> best.
> Whatever we do will always have the problem of the existing installed
> base considering _kerberos._udp.<domain> to mean both Kerberos 4 and
> Kerberos 5. Therefore, anything we would want to do would require
> deprecating _kerberos and replacing it with _kerberos4 and _kerberos5.
> Unfortunately, this would do nothing to solve the problem for existing
> clients.
Correct me if I'm wrong, but doesn't the krb4 kdc support still run on
port 750 rather than port 88? That means there should be a separate,
explicit _kerberos4._udp SRV entry for this.
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030531/6d025b4a/attachment.bin
More information about the krbdev
mailing list