On Aug 14, 2022, at 09:16, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > > but otherwise stuff works fine even if it can sometimes be > confusing as to how kerberos realms and DNS domains do or > don't map to one another.
But that’s because foo.example in DNS maps to FOO.EXAMPLE in Kerberos in most deployments. let’s say I get COCA-COLA.COM, that’s quite a different situation. We can have all the clever mappings for DNS to support alternative backend systems, but in the end the real issue is that “issued names” in the DNS world won’t map to alternative owners. The only way to guarantee that is to carve out some strings. But it will be unpopular strings because the popular ones are taken or reserved. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop