>>>>> "Russ" == Russ Allbery <[EMAIL PROTECTED]> writes:
Russ> SRV records can pose similar problems, but people don't seem Russ> as worried about them. I'm not sure if that's because the Russ> analysis of what an attacker can do with a SRV record is Russ> less confusing or just because SRV records are very useful Russ> and widely used. At least in the case of Kerberos, there is no security problem with the SRV record. All KDCs in a given realm are trusted the same level. The SRV record lets you find the KDCp. However you can make sure it is the right KDC because you and that KDC share a secret. It's potentially possible that someone spoofing DNS could cause you to try and authenticate to the wrong KDC. That would give the attacker an opportunity to mount a dictionary attack against your password. However if your password is strong, the attacker should not get a significant advantage from this. The TXT records are more dangerous. Especially in situations where you have a cross-realm relationship with not very trusted realms it can open up significant attacks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]