When creating service principals from hostnames, MIT krb5 performs two canonicalization steps by default:
1. Ask getaddrinfo() for the canonical name of the host, which converts non-fully-qualified domain names to fully-qualified ones and also resolves CNAME records in DNS. 2. Use getnameinfo() to reverse-canonicalize the address resulting from the gaddrinfo call. Typically, this results in a PTR lookup in DNS. This step can be suppressed by setting rdns = false in libdefaults. Neither of these steps is especially secure in most deployments. We have long-term plans to address that. But, the second step in particular also introduces a usability cost for new deployments whenever there are mismatched PTR records. We are considering turning off rdns by default in MIT krb5 1.10. In the past we've shied away from changing the default because we've been afraid of creating upgrade pain. But after consideration, we're not sure there's likely to be much impact. Does anyone on this list intentionally rely on PTR lookups for Kerberos hostname canonicalization? ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
