On Tue, Jul 25, 2017 at 06:14:36PM -0700, Henry B (Hank) Hotz, CISSP wrote:
>

> I???m with Russ on this one, too. I???ve done /etc/hosts based
> deployments for robustness against DNS-failure scenarios.
> 
> POXIX getaddrinfo() does not require DNS. It???s an interface to
> the system and whatever it uses. The system should be configurable to
> use whatever name resolution is appropriate with as little surprise
> as possible.

I use /etc/hosts based deployments as well and note that there are many
advantages.  We are not suggesting that we break this.  If you specify
hosts in /etc/krb5.conf, then we will continue to use getaddrinfo(3)
to look them up.  In fact, we have recently fixed this because Heimdal
used to unconditionally add a trailing dot to kdc names which makes
using /etc/hosts difficult unless you know this [undocumented] piece
of information.

But, if you specify:

[libdefaults]
        dns_lookup_kdc = true

And there are no KDCs configured in /etc/krb5.conf for the realm that
you are querying, you will use DNS SRV RRs.  And, we think that once you
have retrieved hostnames from DNS SRV RRs that they should be looked up
only in DNS and not subjected to search lists and the like.

-- 
    Roland C. Dowdeswell

Reply via email to