>Also, the use of TXT records to determine which realm a service >belongs to is insecure and is disabled by default in MIT Kerberos. >You would need to explicitly enable this functionality in your >krb5.ini file in order to use it.
I will note that NO ONE has EVER explained to me how this is more insecure if you are canonicalizing DNS names ... which everyone does. >From that draft: This is not an exploit of the Kerberos protocol but of the Kerberos trust model. The same can be done to any application that must resolve the hostname in order to determine which domain a non-FQDN belongs to. I suppose I can see a case where you're getting stuff out of CellServDB; those names are already FQDNs. But if you're looking up your AFS cell information via AFSDB records, then you're already in the same boat. --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
