It seems to me that Heimdal tries to find the realm of a given host by looking up DNS TXT record of “_kerberos.” + <host> + “.”. For example, if the host is “abc.xyz.com”, Heimdal first tries looking for TXT record of “_kerberos.abc.xyz.com.” and then “_kerberos.xyz.com.”. This is in get_host_realm.c. However I cannot find this logic in Kerberos RFC 4120, and not in practice either. Is this something extra?
On the other hand, Heimdal looks up the SRV record of DNS lookup before connecting to KDC. The code I’m talking about is in krbhst.c srv_find_realm(). It follows the RFC.
It seems to me that realm discovery logic in get_host_realm.c can use the same SRV lookup implemented in srv_find_realm() by trying each domain suffixes, instead of the current TXT lookup. Any thoughts? Thanks.