[38738] in Kerberos
Re: rdns, past and future
daemon@ATHENA.MIT.EDU (Simo Sorce)
Tue May 26 17:35:29 2020
Message-ID: <7fb61db58cc69cdd4d889dfc56fb1ea4248a679a.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Ken Dreyer <ktdreyer@ktdreyer.com>, kerberos@mit.edu
Date: Tue, 26 May 2020 17:32:33 -0400
In-Reply-To: <CAD3FbMWbxiS=2Qx_6igCX-RWsO4L5qOtX8p74Wx0AL+in+Uqaw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2020-05-26 at 15:09 -0600, Ken Dreyer wrote:
> Hi folks,
>
> In public cloud environments or Kubernetes environments, PTR records
> are difficult or impossible for administrators to set. We increasingly
> have to tell users to set "rdns = fallback" or "rdns = false".
>
> I'm wondering what the original purpose of Kerberos' rdns feature was.
> Why would a client want or need to do hostname canonicalization?
>
> I'm also wondering if we will ever be able to default MIT Kerberos'
> rdns setting to "fallback" or "false" in a future version. IMHO this
> would make it easier to deploy Kerberos applications in modern hosting
> environments.
FWIW in RHEL and Fedora we set rdns = false by default since 2013, and
we are now also setting dns_canonicalize_hostname to fallback by
default.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
