* admin.texinfo, dnssrv.texinfo: Documented config file variables and SRV

records to use for Kerberos TCP service, if it's enabled, which it isn't by
default.  Removed UDP port 750 from the DNS SRV recommendations.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14892 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 42 insertions, 7 deletions

diff --git a/doc/ChangeLog b/doc/ChangeLog
index ce81239fbc..a3e85a2aea 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,10 @@
+2002-09-20  Ken Raeburn  <raeburn@mit.edu>
+
+	* admin.texinfo, dnssrv.texinfo: Documented config file variables
+	and SRV records to use for Kerberos TCP service, if it's enabled,
+	which it isn't by default.  Removed UDP port 750 from the DNS SRV
+	recommendations.
+
 2002-09-20  Jen Selby  <jenselby@mit.edu>
 
 	* Makefile: made the list of manpages a variable
diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index c4d8341633..e3b4b7656a 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -1025,11 +1025,24 @@ The following relation is defined in the [kdcdefaults] section:
 @table @b
 @itemx kdc_ports
 This relation lists the ports on which the Kerberos server should
-listen by default.  This list is a comma separated list of integers.
+listen for UDP requests by default.  This list is a comma separated
+list of integers.
 If this relation is not specified, the compiled-in default is
 @value{DefaultKdcPorts}, the first being the assigned Kerberos port
 and the second which was used by Kerberos V4.
 
+@itemx kdc_tcp_ports
+This relation lists the ports on which the Kerberos server should
+listen for TCP connections by default.  This list is a comma separated
+list of integers.
+If this relation is not specified, the compiled-in default is not to
+listen for TCP connections at all.
+
+If you wish to change this (which we do not recommend, because the
+current implementation has little protection against denial-of-service
+attacks), the standard port number assigned for Kerberos TCP traffic
+is port 88.
+
 @itemx v4_mode
 This string specifies how the KDC should respond to Kerberos 4
 packets.  The possible values are none, disable, full, and nopreauth.
@@ -1152,9 +1165,14 @@ listen for this realm.  The default is @value{DefaultKpasswdPort}.
 Kerberos realm.
 
 @itemx kdc_ports
-(String.)  Specifies the list of ports that the KDC is to listen to for
-this realm.  By default, the value of kdc_ports as specified in the
-[kdcdefaults] section is used.
+(String.)  Specifies the list of ports that the KDC is to listen to
+for UDP requests for this realm.  By default, the value of kdc_ports
+as specified in the [kdcdefaults] section is used.
+
+@itemx kdc_tcp_ports
+(String.)  Specifies the list of ports that the KDC is to listen to
+for TCP requests for this realm.  By default, the value of
+kdc_tcp_ports as specified in the [kdcdefaults] section is used.
 
 @itemx master_key_name
 (String.)  Specifies the name of the principal associated with the
diff --git a/doc/dnssrv.texinfo b/doc/dnssrv.texinfo
index 1f306d0f41..1a401ac14e 100644
--- a/doc/dnssrv.texinfo
+++ b/doc/dnssrv.texinfo
@@ -21,9 +21,19 @@ well.)  Several different Kerberos-related service names are used:
 
 @table @code 
 @item _kerberos._udp 
-This is for contacting any KDC.  This entry will be used the most
-often.  Normally you should list ports @value{DefaultKdcPorts} on each
-of your KDCs.
+This is for contacting any KDC by UDP.  This entry will be used the most
+often.  Normally you should list port 88 on each of your KDCs.
+@c Don't encourage continued use of port 750 for krb5.
+@c It should be only for backwards compatibility with krb4.
+@c Do the Mac/Windows krb4 libraries use this DNS entry?
+@c The UNIX code does not.
+
+@item _kerberos._tcp
+This is for contacting any KDC by TCP.  The MIT KDC by default will not
+listen on any TCP ports, so unless you've changed the configuration or
+you're running another KDC implementation, you should leave this
+unspecified.  If you do enable TCP support, normally you should use
+port 88.
 
 @item _kerberos-master._udp
 This entry should refer to those KDCs, if any, that will immediately see