How come --enable-dns-for-realm is enabled by default in the mit-krb5 ebuild? According to the documentation, using DNS for realm mapping is not currently secure, and they recommend against it. It would seem better to have it disabled by default, and have a local use flag for people who know what they're doing who want it on.
I do not agree, see krb5_get_default_realm in src/lib/krb5/os/def_realm.c; quoting the docs: `--enable-dns-for-realm' Enable the use of DNS to look up a host's Kerberos realm, or a realm's KDCs, if the information is not provided in krb5.conf. It is a fallback, it is used only if the realm is not set in krb5.conf.
Okay, I had missed the fact that DNS was only used if the mappings were not explicitly listed in the krb5.conf file, and the part in the documentation that said: "The second mechanism works by looking up the information in special TXT records in the Domain Name Service. This is currently not used by default because security holes could result if the DNS TXT records were spoofed." gave me some concerns. Assuming any important realms were appropriately configured in the krb5.conf, I concede that enabling this only provides extra functionality and should not generate security concerns in a correctly configured setup. I will go ahead and close this bug out as invalid, thanks for taking the time to look into it...
