Proposal for using NAPTR/URI records
Simo Sorce
simo at redhat.com
Tue Feb 24 09:49:48 EST 2015
On Mon, 2015-02-23 at 22:59 -0600, Nico Williams wrote:
> Using NAPTR certainly takes MS-KKDCP from the realm of curiosity that
> might turn out to be very handy, to the realm that requires
> significant security review and treading carefully.
>
> Even just plain URI. The first thing that comes up is: OK, so I'm
> discovering a proxy for a realm's KDCs, but how do I know what's safe
> to expose to said proxy? Should I always use FAST w/ anon PKINIT?
> What is the complete list of what will leak? When should DNSSEC be
> required?
>
> One might as well put capaths in DNS, with similar (further-reaching)
> considerations.
I do not see how exposing KKDCP in DNS is any different from current DNS
SRV records, therefore I do not see why it requires additional security
considerations.
Can you explain ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list