>On Wed, 2011-07-06 at 13:41 -0400, Ken Hornstein wrote: >> >Does anyone on this list intentionally rely on PTR lookups for >> >Kerberos hostname canonicalization? >> >> "Yes". >> >> (I can go into detail if you really care). > >I am interested if you can explain.
The answers: - Multihomed hosts (we want to connect to a particular interface, but we want to use one canonical name, because adding a new keytab for a new interface is more of a pain than simply changing the reverse DNS). This also comes into issue when you're doing cross-domain multihoming where the host is in another domain (and other Kerberos realm), and yes, we do that too (but thankfully not that often). - Hostname masquerading, where the host has a CNAME pointing to the "real" name, but for various reasons we want the name used by Kerberos to be the CNAME. I admit that these issues are not insurmountable. But I am just answering the question that Greg asked. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos