Package: kerberos-configs
Version: 2.6
Severity: normal
Dear Maintainer,
According to [1], the upstream implicit default of "rdns = true" is
there for historical reasons only, and upstream suggests to consider
setting it to "false":
"""
Consider setting rdns to false in order to reduce your dependence on
precisely correct DNS information for service hostnames. Turning this
flag off means that service hostnames will be canonicalized through
forward name resolution (which adds your domain name to unqualified
hostnames, and resolves CNAME records in DNS), but not through reverse
address lookup. The default value of this flag is true for historical
reasons only.
"""
In particular, I've seen reports of users failing to join a linux
machine to an Active Directory domain unless they set this parameter
to false. AWS also recommends it in their guide at [2] (note that
"ubuntu" is the same as debian in this context):
"""
Disable Reverse DNS resolution and set the default realm to your
domain's FQDN. Ubuntu Instances must be reverse-resolvable in DNS
before the realm will work. Otherwise, you have to disable reverse DNS
in /etc/krb5.conf as follows:
sudo vi /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
rdns = false
"""
I believe indeed this is particularly true for cloud environments,
where reverse dns is not easily controllable, and also in other
environments where you don't own the reverse dns. So maybe it would be
best to default to rdns=false to make kerberos easier for more users?
What are the security implications of this change?
1.
https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_clients.html#client-machine-configuration-files
2.
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance.html
