Proposal for using NAPTR/URI records
ghudson at mit.edu
Thu Feb 26 14:30:54 EST 2015
On 02/26/2015 01:07 PM, Nathaniel McCallum wrote:
> My main concern for not finding this compelling is that if the realm
> has SRV records it means the realm owners have (at least some)
> influence over DNS. Given that assumption, if the failed URI lookup is
> problematic, they can just replace the SRV records with a URI record
> since they have influence over DNS.
I have three concerns about this line of reasoning:
1. Is this true for the average Active Directory domain? I don't really
know how DNS for Active Directory typically works.
2. This argument assumes that the relevant DNS server implements the URI
record type. The record type was registered in 2011; I don't know what
proportion of running servers can support it (or will be able to in a year).
3. There is likely to be some amount of "why are you forcing me to make
this change when things worked fine before?" The benefit of reducing
two SRV queries to one URI query might or might not mitigate that. If
this were the only concern, I might weight it lower than the potential
benefits of treating URI as canonical. But at this moment it is not my
More information about the krbdev