[1546] in Kerberos
DNS for kerberos realm selection?
daemon@ATHENA.MIT.EDU (Clifford Neuman)
Wed Sep 4 17:45:01 1991
Date: Wed, 4 Sep 91 13:55:32 -0700
From: bcn@cs.washington.edu (Clifford Neuman)
To: Paul-Pomes@uiuc.edu
Cc: kerberos@MIT.EDU
In-Reply-To: Paul Pomes - UofIllinois CSO's message of 4 Sep 91 18:57:14 GMT <1991Sep4.185714.24942@ux1.cso.uiuc.edu>
Date: 4 Sep 91 18:57:14 GMT
From: paul@uxc.cso.uiuc.edu (Paul Pomes - UofIllinois CSO)
Subject: DNS for kerberos realm selection?
Reply-To: Paul-Pomes@uiuc.edu
To: kerberos@shelby.stanford.edu
When kerberos becomes widely available, the krb.realms file will quickly
become as unmanageable as hosts.txt is now. I propose that a new DNS
resource record be created called "KS" with the same syntax as NS records.
Comments?
The problem is that if mutual authentication is required, this
mapping must be secure. If it isn't, the mutual authentication will
still work to the extent that the client have correctly identified the
server, but the authenticated server principal might not that which
the client intended.
One approach to addressing this concern might be to combine a DNS
resource record with the constraint that the realm name must be
superior to the host name (i.e. for domain style realm names, the
realm name must form a suffix of the host name). Unfortunately, this
reduces flexibility in the assignment of servers to realms and it also
breaks the ATHENA.MIT.EDU realm for which most host names end with
.MIT.EDU. The krb.realms file could be kept to handle such
exceptions.
~ Cliff
