[30048] in Kerberos
Re: Question about dns_lookup_realm and domain_realm
daemon@ATHENA.MIT.EDU (Danny Mayer)
Sun Jun 29 23:57:26 2008
Message-ID: <486858F8.6010500@ntp.isc.org>
Date: Sun, 29 Jun 2008 23:54:32 -0400
From: Danny Mayer <mayer@ntp.isc.org>
MIME-Version: 1.0
To: jaltman@secure-endpoints.com
In-Reply-To: <48648151.50403@secure-endpoints.com>
X-kostecke.net-MailScanner-From: mayer@ntp.isc.org
Cc: kerberos@mit.edu
Reply-To: mayer@ntp.isc.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jeffrey Altman wrote:
> Jos Backus wrote:
>> On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote:
>>> This behavior was most likely broken when the referrals code was added.
>>
>> So it's a regression. Until this is fixed properly (which I don't
>> claim my
>> patch does :-) ) I'm possibly need of a workaround. Do you see
>> anything wrong
>> with the patch as such?
> There are several issues here. First, DNS TXT records are known to be
> insecure. Turning
> them on for use in realm resolution provides for convenience but at the
> risk that your clients
> can be redirected to a realm that you do not control.
There is nothing insecure about DNS TXT records, any more than any other
record in the DNS. I'm not sure where this idea came from.
Danny
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
