I believe that the lucid behavior is correct according to MIT's
documentation: what should be happening is that
* with rdns=true (default), both forward and reverse resolution is
performed and the reverse name is used
* With rdns=false, forward resolution is performed including alias
resolution--that is cnames turn into the pointed-to value not the
entered value.
That behavior seems consistent with the code. If you believe that
things aren't working that way, then I can attempt to reproduce.
As I understand your patch, it would (on some platforms including all
Ubuntu platforms) cause the rdns=false behavior to actually skip
resolution and just use the entered name not resolving cnames.
It's possible there was a bug in previous releases of MIT Kerberos and
this was the behavior.
I also understand that the behavior surrounding Kerberos and DNS is kind
of complicated and not entirely desirable. The paper I pointed you at
includes discussions of problems with the current behavior and eventual
goals. It also recommends ways applications can avoid forward/reverse
DNS resolution if they wish to do so.
The Kerberos Consortium has a paper on integrating Kerberos into an www.kerberos. org/software/ appskerberos. pdf .
application; see http://
I believe that the lucid behavior is correct according to MIT's
documentation: what should be happening is that
* with rdns=true (default), both forward and reverse resolution is
performed and the reverse name is used
* With rdns=false, forward resolution is performed including alias
resolution--that is cnames turn into the pointed-to value not the
entered value.
That behavior seems consistent with the code. If you believe that
things aren't working that way, then I can attempt to reproduce.
As I understand your patch, it would (on some platforms including all
Ubuntu platforms) cause the rdns=false behavior to actually skip
resolution and just use the entered name not resolving cnames.
It's possible there was a bug in previous releases of MIT Kerberos and
this was the behavior.
I also understand that the behavior surrounding Kerberos and DNS is kind
of complicated and not entirely desirable. The paper I pointed you at
includes discussions of problems with the current behavior and eventual
goals. It also recommends ways applications can avoid forward/reverse
DNS resolution if they wish to do so.