-
Bug
-
Resolution: Fixed
-
P4
-
7
-
b25
-
generic
-
generic
-
Verified
The dns_fallback entry in [libdefaults] of krb5.conf is defined as:
Generic flag controlling the use of DNS for retrieval of information about Kerberos servers and host/domain name-to-realm mapping. If both dns_lookup_kdc and dns_lookup_realm have been specified, this option has no effect.
However, in sun.security.krb5.Config, we have
public boolean useDNS(String name) { // name can be dns_lookup_kdc or dns_lookup_realm
boolean value = getDefaultBooleanValue(name, "libdefaults");
if (value == false) {
value = getDefaultBooleanValue("dns_fallback", "libdefaults");
}
return value;
}
Therefore, if dns_lookup_kdc (or dns_lookup_realm) is specified as false, dns_fallback will still be read. This means dns_fallback is not merely a fallback, it becomes a supplement in an OR relation.
Generic flag controlling the use of DNS for retrieval of information about Kerberos servers and host/domain name-to-realm mapping. If both dns_lookup_kdc and dns_lookup_realm have been specified, this option has no effect.
However, in sun.security.krb5.Config, we have
public boolean useDNS(String name) { // name can be dns_lookup_kdc or dns_lookup_realm
boolean value = getDefaultBooleanValue(name, "libdefaults");
if (value == false) {
value = getDefaultBooleanValue("dns_fallback", "libdefaults");
}
return value;
}
Therefore, if dns_lookup_kdc (or dns_lookup_realm) is specified as false, dns_fallback will still be read. This means dns_fallback is not merely a fallback, it becomes a supplement in an OR relation.