Hi folks, I recently tried to answer to stackoverflow question regarding SPN/host canonicalization. While reading the GSS-API and Kerberos 5 RFCs I have found a contradiction which I do not fully understand.
RFC2713 says on page 85: > When a reference to a name of this type is resolved, the "hostname" > may (as an example implementation strategy) be canonicalized by > attempting a DNS lookup and using the fully-qualified domain name > which is returned, or by using the "hostname" as provided if the DNS > lookup fails. The canonicalization operation also maps the host's name > into lower-case characters. So it is up to the mechanism to lookup the real FQDN. Same does RFC1964. While RFC4120 says: > Implementations of Kerberos and protocols based on Kerberos MUST NOT use > insecure DNS queries to canonicalize the hostname components of the > service principal names (i.e., they MUST NOT use insecure DNS queries to > map one name to another to determine the host part of the principal name > with which one is to communicate). In an environment without secure name > service, application authors MAY append a statically configured domain > name to unqualified hostnames before passing the name to the security > mechanisms, but they should do no more than that. Secure name service > facilities, if available, might be trusted for hostname > canonicalization, but such canonicalization by the client SHOULD NOT be > required by KDC implementations. > > Implementation note: Many current implementations do some degree of > canonicalization of the provided service name, often using DNS even > though it creates security problems. However, there is no consistency > among implementations as to whether the service name is case folded to > lowercase or whether reverse resolution is used. To maximize > interoperability and security, applications SHOULD provide security > mechanisms with names that result from folding the user- entered name to > lowercase without performing any other modifications or canonicalization. I have checked the source code of krb5_sname_to_principal in sn2princ.c and see that it does canonicalize the hostname with DNS. So, how to interprete that? Kerberos should not lookup in DNS at anytime? I use most of the time JGSS and it does canocalize the hostname. This is crucial if you have DNS round-robin. Thanks, Michael ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
