Change back dns_lookup_kdc to the default

The specifications recommend against using TXT records to mapping hostnames to realms. However they do not recommend against using SRV records to lookup the KDC. Change back to the MIT default of enabling DNS for KDC lookup. This allows automatic configuration and failover. A theoretical attack involving SRV records could be similarly accomplished by a similar attack involving the A records for the KDC hosts.
author: Stef Walter <stefw@redhat.com> 2012-03-20 21:45:43 +0100
committer: Nalin Dahyabhai <nalin@redhat.com> 2012-03-20 18:16:59 -0400
commit: 2da88740651fa66bb28cb10fbb18dd5fd4956bc0 (patch)
tree: bf61074aabc5efb437b60ef1eda327b4f72247f2
parent: 7d6fe6def6085c7c99e32af92b05a5cef3128127 (diff)
download: krb5-2da88740651fa66bb28cb10fbb18dd5fd4956bc0.tar.gz
krb5-2da88740651fa66bb28cb10fbb18dd5fd4956bc0.tar.xz
krb5-2da88740651fa66bb28cb10fbb18dd5fd4956bc0.zip
1 files changed, 0 insertions, 1 deletions
diff --git a/krb5.conf b/krb5.conf
index 33ec1cc..b2e0a25 100644
--- a/krb5.conf
+++ b/krb5.conf
@@ -6,7 +6,6 @@
 [libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
- dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
author	Stef Walter <stefw@redhat.com>	2012-03-20 21:45:43 +0100
committer	Nalin Dahyabhai <nalin@redhat.com>	2012-03-20 18:16:59 -0400
commit	2da88740651fa66bb28cb10fbb18dd5fd4956bc0 (patch)
tree	bf61074aabc5efb437b60ef1eda327b4f72247f2
parent	7d6fe6def6085c7c99e32af92b05a5cef3128127 (diff)
download	krb5-2da88740651fa66bb28cb10fbb18dd5fd4956bc0.tar.gz krb5-2da88740651fa66bb28cb10fbb18dd5fd4956bc0.tar.xz krb5-2da88740651fa66bb28cb10fbb18dd5fd4956bc0.zip