Proposal for using NAPTR/URI records
Nico Williams
nico at cryptonector.com
Mon Feb 23 23:59:03 EST 2015
Using NAPTR certainly takes MS-KKDCP from the realm of curiosity that
might turn out to be very handy, to the realm that requires
significant security review and treading carefully.
Even just plain URI. The first thing that comes up is: OK, so I'm
discovering a proxy for a realm's KDCs, but how do I know what's safe
to expose to said proxy? Should I always use FAST w/ anon PKINIT?
What is the complete list of what will leak? When should DNSSEC be
required?
One might as well put capaths in DNS, with similar (further-reaching)
considerations.
Nico
--
More information about the krbdev
mailing list