On Wed, 2011-07-06 at 14:01 -0400, Ken Hornstein wrote: > >On Wed, 2011-07-06 at 13:41 -0400, Ken Hornstein wrote: > >> >Does anyone on this list intentionally rely on PTR lookups for > >> >Kerberos hostname canonicalization? > >> > >> "Yes". > >> > >> (I can go into detail if you really care). > > > >I am interested if you can explain. > > The answers: > > - Multihomed hosts (we want to connect to a particular interface, but > we want to use one canonical name, because adding a new keytab for a > new interface is more of a pain than simply changing the reverse DNS). > This also comes into issue when you're doing cross-domain multihoming > where the host is in another domain (and other Kerberos realm), and > yes, we do that too (but thankfully not that often). > - Hostname masquerading, where the host has a CNAME pointing to the > "real" name, but for various reasons we want the name used by Kerberos > to be the CNAME. > > I admit that these issues are not insurmountable. But I am just answering > the question that Greg asked.
I would resolve all these issues by using aliases at the KDC level, but thank you for explaining, it's valuable data on the way KDC/DNS are used to keep track off. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos