>>>>> "Russ" == Russ Allbery <[EMAIL PROTECTED]> writes:

    Russ> SRV records can pose similar problems, but people don't seem
    Russ> as worried about them.  I'm not sure if that's because the
    Russ> analysis of what an attacker can do with a SRV record is
    Russ> less confusing or just because SRV records are very useful
    Russ> and widely used.


At least in the case of Kerberos, there is no security problem with
the SRV record.  All KDCs in a given realm are trusted the same level.
The SRV record lets you find the KDCp.  However you can make sure it
is the right KDC because you and that KDC share a secret.

It's potentially possible that someone spoofing DNS could cause you to
try and authenticate to the wrong KDC.  That would give the attacker
an opportunity to mount a dictionary attack against your password.
However if your password is strong, the attacker should not get a significant 
advantage from this.

The TXT records are more dangerous.  Especially in situations where
you have a cross-realm relationship with not very trusted realms it
can open up significant attacks.




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to