[36552] in Kerberos
Re: No mention of _kerberos TXT in RFCs / but we have DNSSEC now
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Thu Oct 16 23:04:35 2014
Date: Thu, 16 Oct 2014 23:04:13 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <0D161257-4C35-4390-ADCE-7C1385DDE679@openfortress.nl>
Message-ID: <alpine.GSO.1.10.1410162302040.27826@multics.mit.edu>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED;
BOUNDARY="-559023410-1148400245-1413515053=:27826"
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Errors-To: kerberos-bounces@mit.edu
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---559023410-1148400245-1413515053=:27826
Content-Type: TEXT/PLAIN; charset=windows-1252
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Mon, 13 Oct 2014, Rick van Rein wrote:
> Hello,
>
> Most of us know about the practice of the _kerberos TXT records in DNS; t=
his can help to translate a servername to a REALM name, which is especially=
helpful if we want to crossover to other realms. This is coded into MIT k=
rb5, and I bet many of our domains implement it.
>
> A grep on my RFC collection showed no RFC that defines the TXT discipline=
; even RFC 4120 does not, even though
> https://datatracker.ietf.org/doc/draft-ietf-krb-wg-krb-dns-locate/history=
/
> says it has =93incorporated into RFC 4120=94 the draft that introduced th=
e TXT records.
Looking at the timestamps on that page, it seems likely to be an action
mostly for the purposes of clearing up a datatracker dashboard, that is
mostly correct but did not strictly speaking apply to the complete
contents of the document (just part of it).
I'm insufficiently motivated to go look at the krb-wg archives from 2002
to see the discussion of why only the SRV records were incorporated and
not the TXT ones.
> The TXT records were always considered unreliable, but we=92ve seen DNSSE=
C
> become a reality these days, so it might be up for another chance. If
> I=92m not mistaken?
That is probably true. The wisdom of "just put everything in the DNS"
remains as unclear as it ever was, of course.
-Ben
---559023410-1148400245-1413515053=:27826
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
---559023410-1148400245-1413515053=:27826--
