[1551] in Kerberos
Re: DNS for kerberos realm selection?
daemon@ATHENA.MIT.EDU (Dan Bernstein)
Sat Sep 7 09:56:31 1991
Date: 7 Sep 91 13:19:33 GMT
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
To: kerberos@shelby.Stanford.EDU
In article <1991Sep4.185714.24942@ux1.cso.uiuc.edu> Paul-Pomes@uiuc.edu writes:
> When kerberos becomes widely available, the krb.realms file will quickly
> become as unmanageable as hosts.txt is now. I propose that a new DNS
> resource record be created called "KS" with the same syntax as NS records.
> Comments?
No!
By even considering such a feature before a secure wide-area directory
service exists, you're compromising the security of Kerberos. Don't do
it. Realms should be as static as /etc/networks and about as frequenty
updated.
---Dan
