Hi,
> DNSSEC is an awesome idea for clients, but has really nothing to do with
> checking if AS requests should succeed or not.
> When it comes to AS requests, from the KDC POV all that really matters is
> whether you have a valid key or not.
When using pre-authentication (which I haven’t studi
- Original Message -
> Hi,
>
> > The KDC has no way of knowing if DNS is correct or wrong,
>
> It could of course use a DNSSEC-aware resolver.
>
> > nor would it
> > trust the DNS
>
> That is a setting with MIT krb5, and an admin could feel safe to enable it
> after setting up DNSSEC.
Hi,
> The KDC has no way of knowing if DNS is correct or wrong,
It could of course use a DNSSEC-aware resolver.
> nor would it
> trust the DNS
That is a setting with MIT krb5, and an admin could feel safe to enable it
after setting up DNSSEC.
> even if it were able to ask a sensible question