I believe we're more or less always asking for this trouble. If you don't get a canonical, reverse looked-up name back out of MIT Kerberos krb5_sname_to_principal(), then you're doing something different than me.
Well, for starters, I don't call MIT kerberos krb5_sname_to_principal() very often, since I don't currently use that implementation.
Performing DNS alias resolution in krb5_sname_to_principal() is insecure unless you have a well-managed DNSSEC infrastructure, which virtually no one does. I have always considered this behaviour to be an implementation bug. While this is not addressed well enough in RFC1510, the next version of the Kerberos V spec (due out later this year) will include the following text:
Implementations of Kerberos and protocols based on Kerberos MUST
NOT use insecure DNS queries to canonicalize the hostname
components of the service principal names (i.e. MUST NOT use
insecure DNS queries to map one name to another to determine the
host part of the principal name with which one is to communicate).-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
