> So, it looks up _kerberos._udp.${REALM}, not _kerberos._udp.${DNS_SUFFIX}.
My impression is that first _kerberos.$DNS_SUFFIX is looked up and then that
realm is used
to look up _kerberos._udp.$REALM, however one would need to read more to figure
out what
was _intended_ and what the application _actually_does_. There is some built-in
guessing
in some implementations as well like upcasing the DNS_SUFFIX and trying if
that's a REALM.
> Too bad. I expected that the _kerberos._udp.${DNS_SUFFIX} would do the job.
Hm. Maybe I should turn on some debugging in my resolvers and look if someone
asks
for _kerberos._udp.pdc.kth.se but that might be the case if someone wrongly
types
kinit u...@pdc.kth.se. Sigh.
Sorry about first confusing your question to be about case.
Harald.
