Getting rid of the reverse dns lookups for canonical name resolution is the right thing to do and will finally bring MIT Kerberos into compliance with RFC 4120. It will impact the help desks of a large number of sites. I believe that as part of such a change MIT should change the version number to 2.0 in order to make clear that there is something major that sites need to pay attention to.
Jeffrey Altman On 7/6/2011 1:27 PM, ghud...@mit.edu wrote: > When creating service principals from hostnames, MIT krb5 performs two > canonicalization steps by default: > > 1. Ask getaddrinfo() for the canonical name of the host, which > converts non-fully-qualified domain names to fully-qualified ones > and also resolves CNAME records in DNS. > > 2. Use getnameinfo() to reverse-canonicalize the address resulting > from the gaddrinfo call. Typically, this results in a PTR lookup in > DNS. This step can be suppressed by setting rdns = false in > libdefaults. > > Neither of these steps is especially secure in most deployments. We > have long-term plans to address that. But, the second step in > particular also introduces a usability cost for new deployments > whenever there are mismatched PTR records. > > We are considering turning off rdns by default in MIT krb5 1.10. In > the past we've shied away from changing the default because we've been > afraid of creating upgrade pain. But after consideration, we're not > sure there's likely to be much impact. > > Does anyone on this list intentionally rely on PTR lookups for > Kerberos hostname canonicalization? > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos
signature.asc
Description: OpenPGP digital signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos