Hi, > The KDC has no way of knowing if DNS is correct or wrong,
It could of course use a DNSSEC-aware resolver. > nor would it > trust the DNS That is a setting with MIT krb5, and an admin could feel safe to enable it after setting up DNSSEC. > even if it were able to ask a sensible question out of it. I’ve been thinking along these lines, and would prefer to be able to install a secure name resolver on my KDC, and making it *require* DNSSEC. This could also help to trust remote, unknown zones. I wrote it down on http://rickywiki.vanrein.org/doku.php?id=insisting-on-dnssec It seems that I am the only one who sees a case for *insisting* on DNSSEC, or do others on this list agree there is a need? Cheers, -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos