Null realms and servers

Nicolas Williams Nicolas.Williams at
Wed Dec 20 11:43:46 EST 2006

On Wed, Dec 20, 2006 at 09:51:14AM -0500, Derek Atkins wrote:
> Ahh, there's the "lookup_kdcs()" step.  That makes sense, and
> answers the question.  At each step in the FQDN you perform an
> active check to see if there's a realm at that level.


There's a minor attack here (if you're using DNS to look up KDCs) in
that NXDOMAIN spoofs could force you up the realm hierarchy, but that
will be a DoS unless the attacker happens to be in possession of the
server credential for the given principal in the resulting realm name --
bloody unlikely.

In a zero-conf world making a fairly straightforward link between DNS
domainnames and Kerberos V realm names helps, but requiring that every
sub-domain have its own realm when it isn't really in a separate
administrative domain doesn't.  Both, referrals and this host2realm
algorithm address that problem, but referrals requires KDC-side support,
whereas the latter does not.


More information about the krbdev mailing list