Proposal for using NAPTR/URI records

Nico Williams nico at
Tue Feb 24 11:34:39 EST 2015

On Tue, Feb 24, 2015 at 8:49 AM, Simo Sorce <simo at> wrote:
> On Mon, 2015-02-23 at 22:59 -0600, Nico Williams wrote:
> > [...]
> I do not see how exposing KKDCP in DNS is any different from current DNS
> SRV records, therefore I do not see why it requires additional security
> considerations.
> Can you explain ?

Check out this thread (all of it, particularly Viktor D.'s and Sam
H.'s comments):

It's not that it can't be done.  But that it requires care.

Again, if I use a locally-configured proxy, or a proxy that is
co-located with the KDCs of the target realm, then no problem.  If I
use a DNS RRset that could point to a different host, and to boot I
don't use DNSSEC, then I now I have a problem.

OTOH, it's probably not a big deal, we just need to think through the
security considerations:

 - TGS exchanges leak little information about the client principal
(mostly the Ticket they are using, and in the case of user2user
Kerberos, the user2user TGT of the peer).

 - AS exchanges leak the cname and crealm, but could be tunneled in
FAST w/ anon PKINIT, yielding protection for the cname, but not much
protection for the crealm (since, after all, if we're talking to an
MITM, they could have used a different host:port for each realm for
which they saw a query for a proxy).

 - anything else?

BTW, the better forum for this is the KITTEN WG list.


More information about the krbdev mailing list