On Wed, Sep 5, 2012 at 8:50 AM, Michael-O <[email protected]> wrote: > Am 2012-09-05 17:41, schrieb Booker Bense: > > Agreed but this does not solve understanding the contradiction in the RFCs. > I can't tell whether DNSSEC is deployed in our company.
Unless your company is a .gov, it's unlikely that DNSSEC is sufficiently deployed to be workable. > > Michael > You are misunderstanding the nature of RFC's. Think of RFC's as a snapshot in time of the state of a protocol. Experience and changing threat models will cause the kind of changes you are seeing as a "contradiction". The early RFC's document the only practical way of getting a unique per host service principal. Unfortunately, that method is not particularly secure and there is no widely deployed alternative. Later RFC's document this weakness, but don't offer any alternatives. RFC's are really just recommendations for implementers, they can and are often ignored in the face of actually getting things done. FWIW, I would say the recommendation against using DNS is one of those things that's more honored in the breach than actually used in practice. Every commercial implementation that I know of has it turned on and they all support the use of DNS SRV records to locate the KDC. It's one of those compromises you have to make between usability and security. - Booker C. Bense ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
