[2288] in Kerberos_V5_Development
Re: ["Tony Mione" ] DNS lookups for Host Realm information
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Fri Mar 7 11:58:42 1997
To: Christopher Blizzard <blizzard@appliedtheory.com>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Fri, 07 Mar 1997 11:42:04 EST."
<199703071642.LAA14942@odin.appliedtheory.com>
Date: Fri, 07 Mar 1997 11:55:59 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>Has there been any work at all on a standard method for using DNS as way
>of distributing kerberos realm and server information? This would be the
>most obvious way of distributing this kind of information and it fits
>pretty well into the DNS model. Just adding new records types ( ie: KS
>and KR ) wouldn't be too tough. Ok, ok, I know it's not *that* simple. :)
_If_ there is a serious proposal to do this, then I can think of some
other things that would be useful. Finding out the realm a host is in
would be one; also, the "canonical" name to use as the instance for
multi-homed hosts would be another. Some people would say that if you
have your DNS set up correctly, multi-homed hosts aren't a problem; but
we have discovered that they definately ARE a problem, because different
packages depend on different ways of doing multi-homed hosts.
>The only problem that I can see is that using DNS as the method for
>transporting this kind of information opens end users up to all kinds of
>man in the middle attacks.
I think if you use mutual authenticaion everywhere, this can be minimized.
--Ken
