Mantas Mikulėnas <graw...@gmail.com> writes: > On Fri, Jun 15, 2012 at 12:19 AM, Russ Allbery <r...@stanford.edu> wrote:
>> Not currently. It's a little tricky to use a SRV record for this since >> wallet doesn't have its own port (it just uses remctl), and normally >> SRV records are tied to services with unique port assignments. I could >> just make up some TXT record convention, but I feel weird about that. > Just like there are _kerberos._udp and _kerberos-master._udp sharing > daemons and ports, I see no reason there couldn't be a _wallet._tcp > SRV record. Yeah, I suppose that's true. >> There are also security issues with trusting DNS if you don't have >> DNSSEC configured. > How are they different from trusting DNS to correctly resolve a > statically configured server? remctl does mutual authentication with the server, so you know that you're contacting the hostname that you think you're contacting. But that doesn't help if the attacker can change which hostname you contact. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
