On Thu, Mar 14, 2013 at 4:02 PM, Greg Hudson <[email protected]> wrote:
> On 03/14/2013 11:25 AM, Yury Sulsky wrote > The sname-to-principal code isn't performing a pass-or-fail check; it's > trying to determine the canonical name of a host. So if we considered > multiple PTR records or did PTR lookups for multiple addresses, we would > have to somehow decide which one to use. > I'm not sure I understand. The function [krb5_sname_to_principal] takes a candidate hostname (or calls [gethostname] if that argument is NULL), and performs a forward lookup using [getaddrinfo]. It then takes the canonical name and IP address stored in the first addrinfo record and checks that that DNS has a reverse mapping from that IP address to that canonical name, otherwise it fails. This check is performed using [getnameinfo], so only a single PTR record is examined (probably the first one, though I guess that depends on the libc implementation). Would it be incorrect (or somehow insecure) to search through all PTR records for the canonical name rather than just the one that's returned by [getnameinfo]? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
