> The domain to realm mapping, if spoofed, can trick a client program > into authenticating to the wrong realm. If the appropriate principals > exist in that other realm (perhaps set up by a less than scrupulous > administrator), and the address record lookup is similarly spoofed (or > the traffic is intercepted, or anything similar), then the client would > quietly authenticate (successfully) to the wrong server, the user would > send his private data, etc.
Eww... Ok, I'm removing them. > Ah, yes, that's fine too. At MIT, at least, we haven't noticed client > exchanges being a significant load, so we don't worry about it. You > could also use SRV record priorities (which we support) and weights > (which we don't, yet) to express other policies, like using the master > if no answer is heard from the slaves, or (if you want to implement > weights, hint hint :-) sending a much smaller fraction of the traffic > to the master than to any of the slaves, etc. *grin* I may look into it if I can find some free time! Ok, one unrelated-to-dns srv thing. We changed the way we do a couple of things when we moved to 1.2.8 (and Solaris 8). Previously, every morning we restarted krb5kdc to rotate it's logs. Very brief outage, obviously. Now, however, I make use of syslog so we don't have to ever have any outage what-so-ever. That said, for some reason krb524d seems to have a "leak" or something. After X days (X I haven't determined exactly yet, and it might not be a set number) krb524d croaks, no errors in the logs, no nothing. I resorted to running a job to check for it and bring it back up if it dies, but... I don't understand why it's "suddenly" croaking on a somewhat regular basis. Are there known issues with it? (for that matter, was it ever made non-experimental/alpha/whatever it was labeled before?) At first I figured we used to restart it nightly as well, but that turned out not to be the case. Daniel -- /\\\----------------------------------------------------------------------///\ \ \\\ Daniel Henninger http://www.vorpalcloud.org/ /// / \_\\\ North Carolina State University - Systems Programmer ///_/ \\\ Information Technology <IT> /// """--------------------------------------------------------------""" ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
