In Kerberos 1.5, krb5_sname_to_principal calls krb5_get_host_realm which (when
KRB5_DNS_LOOKUP is defined) causes DNS to be queried for a _kerberos.FQDN TXT
RR when no applicable domain_realm entry is found and dns_lookup_realm is set.

In 1.6 the KRB5_DNS_LOOKUP ifdef'ed code was removed. This means that the
domain_realm section HAS to have a matching entry for the machine, mapping it
into a realm, whereas in 1.5 this didn't need to be the case if the above
conditions were met.

I'm aware (from a previous discussion) that the DNS lookups are insecure
(although they _are_ used in the case of failing referrals, in which case
krb5_get_fallback_host_realm is called). But I'm still wondering what the
suggested fix is, beyond the obvious addition to domain_realm.

Comments?

--
Jos Backus
jos at catnook.com