Turning off hostname canonicalisation

Jeffrey Hutzelman jhutz at cmu.edu
Fri Sep 9 23:54:47 EDT 2005

On Friday, September 09, 2005 21:00:52 -0400 Jeffrey Altman 
<jaltman at mit.edu> wrote:

> Andrew Bartlett wrote:
>> How are MIT/Heimdal realms coping with windows clients, which I presume
>> don't do such fqdn resolution.  Is the concept of servicePrincipalName
>> spreading to cope, or are there just multiple principals and keytab
>> entries being created?
> Currently, large numbers of principal names and keytab entries are being
> created to deal with this issue.

Someday, I'd love to see MIT and/or Heimdal add real principal name 
aliasing, which would allow better handling for this case than is currently 
possible.  As to whether any of the implementors are likely to spend time 
on it, I don't know.

I very much support the idea of a libdefaults setting to turn of DNS 
resolution entirely.  Among other things, this would allow compliance with 
RFC4120 section 1.3, which says:

   Implementations of Kerberos and protocols based on Kerberos MUST NOT
   use insecure DNS queries to canonicalize the hostname components of
   the service principal names (i.e., they MUST NOT use insecure DNS
   queries to map one name to another to determine the host part of the
   principal name with which one is to communicate).

However, I object to the name proposed by Andrew, on the grounds that a 
significant portion of users are likely to misspell it, due to a systematic 
difference in spelling between British and American English (In American 
English, we spell -ize with a 'z').

Since a misspelling would result in unintended and potentially insecure 
behavior (depending on which setting is the default) and would not trigger 
an error message, let's pick a name which does not have this problem.

-- Jeff

More information about the krbdev mailing list