Nico Williams <[email protected]> writes: > On Fri, Mar 15, 2013 at 9:04 AM, Yury Sulsky <[email protected]> wrote:
>> Right, thanks. I should have read more carefully. Still, wouldn't it make >> sense to iterate through all PTR records and search for one that matches the >> canonical name returned from the forward lookup? If a record like that does >> exist, returning that one would allow the user to specify a host that has >> other canonical names (and multiple PTR records). > The code here isn't seeing the PTR records. Instead MIT Kerberos is > calling system library functions (getnameinfo(3)) that do that, and > those functions, as I've explained, only look at one PTR RR. Adapting the code to iterate over multiple PTR records would add complexity and require calling out to a lower-level DNS resolver API. In addition, any nsswitch-based hostname information that is not in DNS would be ignored (unless getnameinfo() were also consulted). I would prefer to not do this without a really good reason, especially because we are trying to eventually eliminate the use of hostname canonicalization for principal name construction in our implementation. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
