[36183] in Kerberos
Insisting on DNSSEC (was: tickets with wrong DNS)
daemon@ATHENA.MIT.EDU (Rick van Rein)
Mon Jun 9 02:36:22 2014
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <1402251663.9430.43.camel@willson.usersys.redhat.com>
Date: Mon, 9 Jun 2014 08:36:02 +0200
Message-Id: <5DCBA616-48DF-450F-9CE8-FB4C90D1B2CA@openfortress.nl>
To: Simo Sorce <simo@redhat.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
> The KDC has no way of knowing if DNS is correct or wrong,
It could of course use a DNSSEC-aware resolver.
> nor would it
> trust the DNS
That is a setting with MIT krb5, and an admin could feel safe to enable it after setting up DNSSEC.
> even if it were able to ask a sensible question out of it.
I’ve been thinking along these lines, and would prefer to be able to install a secure name resolver on my KDC, and making it *require* DNSSEC. This could also help to trust remote, unknown zones. I wrote it down on
http://rickywiki.vanrein.org/doku.php?id=insisting-on-dnssec
It seems that I am the only one who sees a case for *insisting* on DNSSEC, or do others on this list agree there is a need?
Cheers,
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
