On 01/31/2013 07:57 PM, Ken Dreyer wrote:
On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik
> Kerberos clients can optionally verify reverse DNS records for services that
> they connect to as a way of trying to identify which realm they belong to.
> However in many cases these do not exist. Kerberos should fall back to it's
> default behavior in that case. Failure to do this is a common point of failure
> when using kerberos.
Is this basically the same as what was discussed a while back on the
MIT kerberos list? If so, that is really great.
It was not clear to me from the feature description if this will
disable rdns entirely? Does this only covers cases where a PTR record
is completely missing, or does it also cover cases where the PTR
record present but "incorrect" (eg. doesn't match the forward record)?
I have plenty of both situations at my site :-(
That's not completely set in stone yet.
Ideally we would change the default to match rdns = false. But if that's
too invasive, we would make sure that the default does not fail when PTR
records do not exist.