> So, it looks up _kerberos._udp.${REALM}, not _kerberos._udp.${DNS_SUFFIX}.

My impression is that first _kerberos.$DNS_SUFFIX is looked up and then that 
realm is used
to look up _kerberos._udp.$REALM, however one would need to read more to figure 
out what
was _intended_ and what the application _actually_does_. There is some built-in 
in some implementations as well like upcasing the DNS_SUFFIX and trying if 
that's a REALM.

> Too bad. I expected that the _kerberos._udp.${DNS_SUFFIX} would do the job.

Hm. Maybe I should turn on some debugging in my resolvers and look if someone 
for _kerberos._udp.pdc.kth.se but that might be the case if someone wrongly 
kinit u...@pdc.kth.se. Sigh.

Sorry about first confusing your question to be about case.


Reply via email to