Proposal for using NAPTR/URI records

Nico Williams nico at
Thu Feb 26 14:20:07 EST 2015

On Thu, Feb 26, 2015 at 06:02:11PM +0100, Petr Spacek wrote:
> I forgot to comment on this:
> QTYPE=ANY is unreliable because admins are disabling it in hope that
> it will mitigate DNS-amplified DDoS attacks. (It would be better to
> implement source-address filtering but what you can do ...)

I see, and it's probably a good idea, but in a DNSSEC world this is
equivalent to timing out, no?

> Unfortunately I do not have any data at hand but I believe that Viktor
> Dukhovni or other folks interested in DNS and mail server could add
> some details.

I'll ask him.

> Maybe this whole discussion should be moved to IETF dnsop mailing
> list? After all, there is nothing Kerberos-specific, all the questions
> seems to be about DNS service discovery.

Well, but there is something for KITTEN WG as well, since there'd be new
requirements for KDC operators and -likely, or at least recommendations-
for client implementors.

I agree that dnsop is probably the better venue.  It's definitely
getting to the point where we should go ask for expert DNS advice, and


More information about the krbdev mailing list