Turning off hostname canonicalisation
Jeffrey Hutzelman
jhutz at cmu.edu
Fri Sep 9 23:54:47 EDT 2005
On Friday, September 09, 2005 21:00:52 -0400 Jeffrey Altman
<jaltman at mit.edu> wrote:
> Andrew Bartlett wrote:
>
>> How are MIT/Heimdal realms coping with windows clients, which I presume
>> don't do such fqdn resolution. Is the concept of servicePrincipalName
>> spreading to cope, or are there just multiple principals and keytab
>> entries being created?
>
> Currently, large numbers of principal names and keytab entries are being
> created to deal with this issue.
Someday, I'd love to see MIT and/or Heimdal add real principal name
aliasing, which would allow better handling for this case than is currently
possible. As to whether any of the implementors are likely to spend time
on it, I don't know.
I very much support the idea of a libdefaults setting to turn of DNS
resolution entirely. Among other things, this would allow compliance with
RFC4120 section 1.3, which says:
Implementations of Kerberos and protocols based on Kerberos MUST NOT
use insecure DNS queries to canonicalize the hostname components of
the service principal names (i.e., they MUST NOT use insecure DNS
queries to map one name to another to determine the host part of the
principal name with which one is to communicate).
However, I object to the name proposed by Andrew, on the grounds that a
significant portion of users are likely to misspell it, due to a systematic
difference in spelling between British and American English (In American
English, we spell -ize with a 'z').
Since a misspelling would result in unintended and potentially insecure
behavior (depending on which setting is the default) and would not trigger
an error message, let's pick a name which does not have this problem.
-- Jeff
More information about the krbdev
mailing list