On Wed, Sep 5, 2012 at 7:33 AM, Michael-O <[email protected]> wrote:
> For now, I do not see an alternative to a forward and reverse lookup at > them moment. Well, isn't Kerberos used in managed environments only > where only a few have control over DNS entries? In my case I am in an > huge company with thousands of KDC (Active Directory, namely). > > Are the aforementioned quotes a contradiction or simply a not solvable > problem at the moment? I would say "simply not a solvable problem with current protocols". In theory DNSSEC is the way out, once it is widely deployed. Kerberos depends on all sides of the protocol knowing the principal names in an a priori way that is outside the protocol. ( i.e. if you want to talk to a server, you have to know the principal to use before you can even begin the conversation and there is no way currently in the protocol to discover this. ) So either the KDC re-implements DNSSEC or DNSSEC is widely and securely deployed. Kerberos ( and all security protocols ) are ways to extend trust, not create it and they all require that you start with some data that you just assert is trustworthy. - Booker C. Bense ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
