[AFS3-std] Security considerations for SRV records plus GSSAPI
auth
Simon Wilkinson
simon@sxw.org.uk
Wed, 10 Mar 2010 23:58:01 +0000
On 10 Mar 2010, at 20:17, Russ Allbery wrote:
> I don't know to what extent this is
> applicable to rxgk, since it has a separate rxgk service, but it may
> be of
> interest and is at least worth reviewing.
Thanks for the pointer. The attacks in that document aren't relevant
to rxgk, because we don't use any information derived from the DNS in
determining the acceptor identity.
rxgk defines the GSSAPI acceptor as being rxgk@_afs.<cellname>. For
Kerberos sites, this has the advantage if their cellname is a DNS
name, then their existing domain->realm mapping rules should take care
of determining the realm of the principal.
S.