Using a CNAME in the kerberos SRV record

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Using a CNAME in the kerberos SRV record

Adam Lewenberg
I would like to change our Kerberos DNS SRV records from using an A
record to a CNAME record. According to the DNS specs, a SRV record can
only point to an A (or AAAA) record.

I did some minimal testing, and the MIT kinit client as well as the
Heimdal kinit client had no trouble with CNAME's in the SRV record.

Here is the question:

Has anyone on the list encountered a Kerberos client or library that
used DNS discovery that COULDN'T handle an SRV record with a CNAME?

Thanks, Adam Lewenberg

Reply | Threaded
Open this post in threaded view
|

Re: Using a CNAME in the kerberos SRV record

Jeffrey Altman-2
On 1/11/2019 11:35 AM, Adam Lewenberg wrote:
> I would like to change our Kerberos DNS SRV records from using an A
> record to a CNAME record. According to the DNS specs, a SRV record can
> only point to an A (or AAAA) record.

That is correct.   Pointing an SRV entry to a CNAME will lead to
unpredictable behavior depending upon the implementation of both the DNS
client and the server.

I strongly recommend against doing so.

Jeffrey Altman



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Using a CNAME in the kerberos SRV record

Harald Barth-2

> I strongly recommend against doing so.

I'm 100% with Jeff because imagine that a future upgrade will give you
a resolver (on any OS/client) that will do as the specification says
and not give the answer you expect? In other words: If you control all
the clients and are not afraid to get problems which are hard to
debug, go ahead and use CNAMES ;-)

Harald.