[1046] in Kerberos_V5_Development
Re: full explanation of proposed krb5_sname_to_princ change
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Mon Apr 8 20:05:38 1996
Date: Mon, 8 Apr 1996 20:05:26 -0400
From: Theodore Ts'o <tytso@MIT.EDU>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: Sam Hartman's message of 01 Apr 1996 11:50:22 -0500,
<tslwx3zsxbl.fsf@tertius.mit.edu>
From: Sam Hartman <hartmans@MIT.EDU>
Date: 01 Apr 1996 11:50:22 -0500
Ted asked me to go through the background of my proposed
change, then to fully explain what I was trying to do.
Basically, I'm trying to solve the problem of machines that
have multiple A records in DNS--machines like athena.dialup.mit.edu,
et al. Newer versions of Bind tend to round-robbin these addresses,
so you are likely to get different answers if you call gethostbyname()
on the same domain twice in a row.
My proposal is to somehow save the address you actually
connect to, and do a gethostbyaddr on this address. The
cannonicalization of this address should be the specific name of the
host you actually connected to. It is important to note that this
will still work if you actually use the name athena.dialup.mit.edu as
the official name for multiple hosts, although you will have to have a
host/athena.dialup.mit.edu key on each host.
Sam,
Sorry for the delay in getting back to you. I've been rather
swamped lately.
Instead of changing krb5_sname_to_princ, or creating a new
version of krb5_sname_to_princ, what about simply having a new function,
krb5_os_cannonicalize_hostname(), which takes as input a hostname, and calls
gethostyaddr(gethostbyname()) on the input hostname and returns the
resulting hostname?
Then we simply have to change those programs which might have to
call krb5_os_cannonicalize_hostname() first, and then using the
resulting hostname for krb5_sname_to_princ() as well as using that
hostname to call gethostbyname(), followed by connect().
This solution makes the same assumptions as your proposal (there
must be one PTR record for a given IP address), and it avoids needing to
use addresses in a krb5 interface which (as you point out) is a real
pain to do. We avoid the whole morass of sockaddr_in
vs. krb5_addresses, and the easy or non-ease of generating them by
simply using a char * for the canonicalized hostname.
It does have the disadvantage of an additional DNS resolver
call, but that seems like a minor price to pay.
- Ted
