On Wednesday, January 25, 2006 10:33:59 PM -0800 Adam Megacz <[EMAIL PROTECTED]> wrote:
(which it will do using DNS entries, thereby using the capitalization of the DNS TXT record, which can be assumed to be correct).
... unless an attacker has spoofed the DNS response, which is one of the reasons we did not specify this technique in RFC4120.
In fact, the only safe way to perform host->realm mapping is using some combination of a fixed algorithm and a set of mappings obtained via a secure means. While it is theoretically possible to use DNSSEC and TXT records for this, I know of no Kerberos implementation which is capable of doing so in such a fashion that it knows the mapping is secure. The more widely-deployed means of distributing such mappings is either via a config file, or by means of a secure database (for example, Microsoft's KDC generatees referrals to other realms within a forest on the basis of data contained in AD).
_______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
