[OpenAFS] Re: is there any good reason to use capialized names
for new realms?
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 26 Jan 2006 16:03:30 -0500
On Wednesday, January 25, 2006 10:33:59 PM -0800 Adam Megacz
<megacz@cs.berkeley.edu> wrote:
> (which it will do using DNS
> entries, thereby using the capitalization of the DNS TXT record, which
> can be assumed to be correct).
... unless an attacker has spoofed the DNS response, which is one of the
reasons we did not specify this technique in RFC4120.
In fact, the only safe way to perform host->realm mapping is using some
combination of a fixed algorithm and a set of mappings obtained via a
secure means. While it is theoretically possible to use DNSSEC and TXT
records for this, I know of no Kerberos implementation which is capable of
doing so in such a fashion that it knows the mapping is secure. The more
widely-deployed means of distributing such mappings is either via a config
file, or by means of a secure database (for example, Microsoft's KDC
generatees referrals to other realms within a forest on the basis of data
contained in AD).