> On 15 Aug 2022, at 00:57, Paul Wouters <[email protected]> wrote: > > On Aug 14, 2022, at 09:16, Stephen Farrell <[email protected]> wrote: >> >> >> but otherwise stuff works fine even if it can sometimes be >> confusing as to how kerberos realms and DNS domains do or >> don't map to one another. > > But that’s because foo.example in DNS maps to FOO.EXAMPLE in Kerberos in most > deployments. > > let’s say I get COCA-COLA.COM, that’s quite a different situation.
Then you will have a problem if you run up against anyone else using COCA-COLA.COM as a realm name. I also expect that if you are anyone other than the Coca-Cola Company and run up against the Coca-Cola Company you will be forced to rename your realm. Kerberos doesn’t have a naming authority but to use it in a federated manner there needs to be an authority. Most users of Kerberos use the DNS namespace as that authority. > We can have all the clever mappings for DNS to support alternative backend > systems, but in the end the real issue is that “issued names” in the DNS > world won’t map to alternative owners. The only way to guarantee that is to > carve out some strings. But it will be unpopular strings because the popular > ones are taken or reserved. > > Paul > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
