Am 2012-09-05 17:41, schrieb Booker Bense: > On Wed, Sep 5, 2012 at 7:33 AM, Michael-O <[email protected]> wrote: > >> For now, I do not see an alternative to a forward and reverse lookup at >> them moment. Well, isn't Kerberos used in managed environments only >> where only a few have control over DNS entries? In my case I am in an >> huge company with thousands of KDC (Active Directory, namely). >> >> Are the aforementioned quotes a contradiction or simply a not solvable >> problem at the moment? > > I would say "simply not a solvable problem with current protocols". In > theory DNSSEC is the way out, > once it is widely deployed. > > Kerberos depends on all sides of the protocol knowing the principal names in > an > a priori way that is outside the protocol. ( i.e. if you want to talk > to a server, you have > to know the principal to use before you can even begin the > conversation and there is > no way currently in the protocol to discover this. ) > > So either the KDC re-implements DNSSEC or DNSSEC is widely and > securely deployed. > Kerberos ( and all security protocols ) are ways to extend trust, not > create it and they all require > that you start with some data that you just assert is trustworthy.
Agreed but this does not solve understanding the contradiction in the RFCs. I can't tell whether DNSSEC is deployed in our company. Michael ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
