Distributing Kerberos KDC and Realm Information with DNS

Document Type Expired Internet-Draft (krb-wg WG)
Last updated 2002-07-29
Stream IETF
Intended RFC status (None)
Expired & archived
plain text pdf html bibtex
Stream WG state Dead WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto- col [RFC????] describe any mechanism for clients to learn critical configuration information necessary for proper operation of the pro- tocol. Such information includes the location of Kerberos key dis- tribution centers or a mapping between DNS domains and Kerberos realms. Current Kerberos implementations generally store such configuration information in a file on each client machine. Experience has shown this method of storing configuration information presents problems with out-of-date information and scaling problems, especially when using cross-realm authentication. This memo describes a method for using the Domain Name System [RFC1035] for storing such configuration information. Specifically, methods for storing KDC location and hostname/domain name to realm mapping information are discussed.


Ken Hornstein (kenh@cmf.nrl.navy.mil)
Jeffrey Altman (jaltman@secure-endpoints.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)