Steve Langasek <[EMAIL PROTECTED]> writes: > Of course, I've also never seen MIT KRB5 respect these TXT records, so > perhaps there's a good reason not to use them that I'm unaware of; but > they are still mentioned in the documentation from krb5 1.4.4.
Support for TXT records to do realm mapping is disabled by default in MIT Kerberos because honoring TXT records in the absence of DNSSEC can open you to various impersonation attacks where the attacker intercepts your DNS TXT query and lies to you about the correct realm to use. SRV records can pose similar problems, but people don't seem as worried about them. I'm not sure if that's because the analysis of what an attacker can do with a SRV record is less confusing or just because SRV records are very useful and widely used. As a configuration hint, I think using a TXT record would be reasonable. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
