On 11-06-10 16:38, Sam Hartman <hartm...@debian.org> wrote: > One significant issue I have is that I believe with the dns-based > option, the less secure DNS-based approach is preferred to the > referrals. Automating the process of populating the referrals data on > the KDCs would give you a much more secure result.
Yes, after giving it some thought, I agree with you there. > There's a lot to be said for having all code paths enabled (and I > thought the upstream default was already to turn this on but to disable > by default in the config file), but there's also a lot to be said for > strongly discouraging the DNS-based approach because its security > properties are very bad. There seem to be good arguments for and against the proposition. I'm not quite sure which way I would decide, were I in your place. Ciao, Alexander Wuerstlein. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org