[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KRB5_CONFIG for "make check"

On 2006-11-13 at 01:10 +0100, Harald Barth wrote:
> EXAMPLE.COM entries from MIT kerberos installs have given me support
> problems multiple times. Can't we just IGNORE everything called 
> EXAMPLE.COM in the config file(s)? Isn't this domain/realm/whatever
> defined to be non-existing, so it should be valid to just ignore it.

Define "non-existing"?

It exists in whois and in DNS, with valid SOA and NS records and even an
A record, which points to valid routable IP space.  Oops.

It's a "reserved" domain, per RFC 2606 / BCP 32.  But it's reserved for
use as an example, not for testing purposes.

When you special-case domains, you create new code-paths which need
their own debugging, adding their own complexity and causing more
problems if it's a domain which anyone else might legitimately (or not)
be trying to use.

Theres nothing keeping a software author from using a sub-domain of one
of their own domains as a realm for testing purposes.  DUMMY.PDC.KTH.SE
or somesuch.  Include a note in a file stating that it's reserved for
use by software X for tests Y and should not be used for any other
purpose and possibly even create a TXT record for it, saying the same.
End of problem -- anyone from another organisation has no rights to use
names which have been delegated to "your" ownership in a federated
naming system.