Proposal for using NAPTR/URI records

Simo Sorce simo at
Tue Feb 24 09:49:48 EST 2015

On Mon, 2015-02-23 at 22:59 -0600, Nico Williams wrote:
> Using NAPTR certainly takes MS-KKDCP from the realm of curiosity that
> might turn out to be very handy, to the realm that requires
> significant security review and treading carefully.
> Even just plain URI.  The first thing that comes up is: OK, so I'm
> discovering a proxy for a realm's KDCs, but how do I know what's safe
> to expose to said proxy?  Should I always use FAST w/ anon PKINIT?
> What is the complete list of what will leak?  When should DNSSEC be
> required?
> One might as well put capaths in DNS, with similar (further-reaching)
> considerations.

I do not see how exposing KKDCP in DNS is any different from current DNS
SRV records, therefore I do not see why it requires additional security

Can you explain ?


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list