[OpenAFS] Re: is there any good reason to use capialized names for new realms?

Jeffrey Hutzelman jhutz@cmu.edu
Thu, 26 Jan 2006 16:03:30 -0500

On Wednesday, January 25, 2006 10:33:59 PM -0800 Adam Megacz 
<megacz@cs.berkeley.edu> wrote:

> (which it will do using DNS
> entries, thereby using the capitalization of the DNS TXT record, which
> can be assumed to be correct).

... unless an attacker has spoofed the DNS response, which is one of the 
reasons we did not specify this technique in RFC4120.

In fact, the only safe way to perform host->realm mapping is using some 
combination of a fixed algorithm and a set of mappings obtained via a 
secure means.  While it is theoretically possible to use DNSSEC and TXT 
records for this, I know of no Kerberos implementation which is capable of 
doing so in such a fashion that it knows the mapping is secure.  The more 
widely-deployed means of distributing such mappings is either via a config 
file, or by means of a secure database (for example, Microsoft's KDC 
generatees referrals to other realms within a forest on the basis of data 
contained in AD).