Proposal for using NAPTR/URI records

Nico Williams nico at
Mon Feb 23 23:59:03 EST 2015

Using NAPTR certainly takes MS-KKDCP from the realm of curiosity that
might turn out to be very handy, to the realm that requires
significant security review and treading carefully.

Even just plain URI.  The first thing that comes up is: OK, so I'm
discovering a proxy for a realm's KDCs, but how do I know what's safe
to expose to said proxy?  Should I always use FAST w/ anon PKINIT?
What is the complete list of what will leak?  When should DNSSEC be

One might as well put capaths in DNS, with similar (further-reaching)


More information about the krbdev mailing list