(heimdal.info) Setting up DNS
Info Catalog
(heimdal.info) Transit policy
(heimdal.info) Setting up a realm
Setting up DNS
==============
If there is information about where to find the KDC or kadmind for a
realm in the `krb5.conf' for a realm, that information will be
preferred and DNS will not be queried.
Heimdal will try to use DNS to find the KDCs for a realm. First it will
try to find `SRV' resource record (RR) for the realm. If no SRV RRs are
found, it will fall back to looking for a `A' RR for a machine named
kerberos.REALM, and then kerberos-1.REALM, etc
Adding this information to DNS makes the client have less configuration
(in the common case, no configuration) and allows the system
administrator to change the number of KDCs and on what machines they
are running without caring about clients.
The backside of using DNS that the client might be fooled to use the
wrong server if someone fakes DNS replies/data, but storing the IP
addresses of the KDC on all the clients makes it very hard to change
the infrastructure.
Example of the configuration for the realm `EXAMPLE.COM',
$ORIGIN example.com.
_kerberos._tcp SRV 10 1 88 kerberos.example.com.
_kerberos._udp SRV 10 1 88 kerberos.example.com.
_kerberos._tcp SRV 10 1 88 kerberos-1.example.com.
_kerberos._udp SRV 10 1 88 kerberos-1.example.com.
_kpasswd._udp SRV 10 1 464 kerberos.example.com.
_kerberos-adm._tcp SRV 10 1 749 kerberos.example.com.
More information about DNS SRV resource records can be found in
RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
Info Catalog
(heimdal.info) Transit policy
(heimdal.info) Setting up a realm
automatically generated byinfo2html