Making sure that the client's host-based principal name matches its IP address is something best done asynchronously by scraping the logs.
Adding synchronous DNSSEC validation of this in the KDC (obviously the KDC internally would do things asynchronously) would add to latency. Probably not a big deal. It would also require significant restructuring of KDC implementations, for relatively little value. Though to be frank, I do think it'd be good for KDCs to be so structured anyways so that various slow operations could be added by pre-auth and authz plugins of various types. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos