Comment 10 for bug 571572

>>>>> "Jesper" == Jesper Krogh <email address hidden> writes:

    Jesper> Hi Russ. I cannot say anything about what other are
    Jesper> Would a patch that makes the behaviour configurable be
    Jesper> acceptable?

I think that this patch should be accepted only if upstream is
interested in the patch. Given that upstream accepted rdns (something I
thought was kind of dubious at the time), a patch to completely disable
dns processing seems reasonable.

Apple's Kerberos maintainer argues that this behavior really needs to be
configured on a per-realm basis. Unfortunately, because of the way
krb5_sname_to_principal interacts with referrals makes this kind of
tricky. If I were upstream I'd require the design of the patch to be
forward-compatible to an eventual model where it was
configured/auto-detected on a per-realm basis and the behavior of any
configuration knobs you add to be documented well enough so that people
would understand how they will behave in the future, but beyond that
would accept the patch.
So, if upstream agrees with me here, you'd have to do somewhat more
design work up front, but the actual patch would be simple.

I'm certainly happy to accept such a patch into Debian as soon as
upstream accepts it and to encourage Ubuntu to accept it.

I don't have the time facilitate the discussion between you and
upstream; I wish I did. my recommendation for interacting with upstream
is to bring up the issue on <email address hidden> and to include the URI of
this bug report.

Kerberos DNS behavior is complicated enough that having Ubuntu or Debian
diverge from upstream seems undesirable, so I think involving upstream
in the discussion is important.

--Sam