Proposed Behavior change: don't fail when krb5_sname_to_principal cannot canonicalize input

Nico Williams nico at
Fri Oct 14 15:22:43 EDT 2011

On Fri, Oct 14, 2011 at 1:28 PM, Sam Hartman <hartmans at> wrote:
>>>>>> "Tom" == Tom Yu <tlyu at MIT.EDU> writes:
>    Tom> Is there any way to securely deal with multiple search domains?
> No, RFC 4120 tells you not to deal with multiple search domains.

No, RFC4120 says not to use DNS.  It doesn't say to not use a search
list, although a search list would have similar but less severe issues
(thus it follows that RFC4120 discourages them too) but we could
extend the protocol to support secure unknown service principal
errors, which would solve that problem.

Unless your position is that soon we'll have DNSSEC everywhere, I
don't see how you could think it's better to keep the current DNS
canonicalization scheme and not add an option for applying a search
list instead.  Search lists would definitely be a security improvement
over DNS lookups as we do them today in MIT and Heimdal.


More information about the krbdev mailing list