From owner-freebsd-security@FreeBSD.ORG  Fri Jun 10 20:16:02 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@FreeBSD.org
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1719916A41C
	for <freebsd-security@FreeBSD.org>;
	Fri, 10 Jun 2005 20:16:02 +0000 (GMT) (envelope-from bsam@bsam.ru)
Received: from bsam.ru (gw.ipt.ru [80.253.10.66])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B614143D1F
	for <freebsd-security@FreeBSD.org>;
	Fri, 10 Jun 2005 20:16:01 +0000 (GMT) (envelope-from bsam@bsam.ru)
Received: from bsam by bsam.ru with local (Exim 4.30; FreeBSD)
	id 1DgpwO-000EUj-8t; Sat, 11 Jun 2005 00:17:20 +0400
To: freebsd-security@FreeBSD.org
From: Boris Samorodov <bsam@ipt.ru>
Date: Sat, 11 Jun 2005 00:17:20 +0400
Message-ID: <22142911@srv.sem.ipt.ru>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: "Boris B. Samorodov" <bsam@bsam.ru>
Cc: 
Subject: [Kerberos] Error at Handbook?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2005 20:16:02 -0000

Hi!


I'm quite new to the list, but searching the archive and PRs didn't
show me anything on the matter.

According to FreeBSD Handbook (14.8.2 Setting up a Heimdal KDC) one
should config DNS server by adding:
-----
_kerberos           IN  TXT     EXAMPLE.ORG.
-----

This doesn't work. DNS servers returns: text = "EXAMPLE.ORG.".
This is right, because RFC 1035 allows up to 16 character strings at
this field (assuming that noting should be prepended to the field if
it doesn't end with a point).

Thus I've got at KDC log:
-----
2005-06-10T23:57:07 Server not found in database: krbtgt/EXAMPLE.ORG.@EXAMPLE.ORG: No such entry in the database
----
(lookat the point before '@').

Everythig is fine when changing DNS TXT record to "EXAMPLE.ORG"
(without a dot at the end).

I'm going to file a DOC/PR, but what security guru can say on the
matter? Am I missing smth? I'm far away from thinking that I'm the
only user who is using the Handbook to configure kerberos on FreeBSD...

PS.
KDC host: FreeBSD 5.3-STABLE
Server:   FreeBSD 6.0-CURRENT
Client:   FreeBSD 5.4-RELEASE-p1


WBR
-- 
bsam