aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2020-12-21 10:25:58 -0500
committerGreg Hudson <ghudson@mit.edu>2021-01-06 21:22:31 -0500
commit15f8c4fd7d62d07ea2759a7b6d684c000430559e (patch)
tree9104f28c919d4df3030b452c49f4d1529729c0a9 /doc
parentdde43ffc6d0d19ff3fa080d86d4cddfcc152e421 (diff)
downloadkrb5-15f8c4fd7d62d07ea2759a7b6d684c000430559e.zip
krb5-15f8c4fd7d62d07ea2759a7b6d684c000430559e.tar.gz
krb5-15f8c4fd7d62d07ea2759a7b6d684c000430559e.tar.bz2
Revert dns_canonicalize_hostname default to true
Field testing of dns_canonicalize_hostname=fallback (ticket 8911) revealed more disruptive edge cases than anticipated. Many were fixed by ticket 8930, but host-based GSS initiator names were recently discovered to not work, and one other edge case could not be resolved without a change to external code. Restore the default to true for now. Set the value to fallback in the test suite, to continue testing the desired configuration and to avoid restoring tests/resolve. ticket: 8973 (new) tags: pullup target_version: 1.19
Diffstat (limited to 'doc')
-rw-r--r--doc/admin/conf_files/krb5_conf.rst2
-rw-r--r--doc/admin/princ_dns.rst26
2 files changed, 14 insertions, 14 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index e4e2443..cb17a84 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -191,7 +191,7 @@ The libdefaults section may contain any of the following relations:
fully-qualified hostnames. If this option is set to ``fallback`` (new
in release 1.18), DNS canonicalization will only be performed the
server hostname is not found with the original name when
- requesting credentials. The default value is ``fallback``.
+ requesting credentials. The default value is true.
**dns_lookup_kdc**
Indicate whether DNS SRV records should be used to locate the KDCs
diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst
index 32a269a..b2db007 100644
--- a/doc/admin/princ_dns.rst
+++ b/doc/admin/princ_dns.rst
@@ -35,14 +35,14 @@ In the MIT krb5 client library, canonicalization of host-based service
principals is controlled by the **dns_canonicalize_hostname**,
**rnds**, and **qualify_shortname** variables in :ref:`libdefaults`.
-If **dns_canonicalize_hostname** is set to ``true`` (the default value
-before release 1.19), the client performs forward resolution by
-looking up the IPv4 and/or IPv6 addresses of the hostname using
-``getaddrinfo()``. This process will typically add a domain suffix to
-the hostname if needed, and follow CNAME records in the DNS. If
-**rdns** is also set to ``true`` (the default), the client will then
-perform a reverse lookup of the first returned Internet address using
-``getnameinfo()``, finding the name associated with the PTR record.
+If **dns_canonicalize_hostname** is set to ``true`` (the default
+value), the client performs forward resolution by looking up the IPv4
+and/or IPv6 addresses of the hostname using ``getaddrinfo()``. This
+process will typically add a domain suffix to the hostname if needed,
+and follow CNAME records in the DNS. If **rdns** is also set to
+``true`` (the default), the client will then perform a reverse lookup
+of the first returned Internet address using ``getnameinfo()``,
+finding the name associated with the PTR record.
If **dns_canonicalize_hostname** is set to ``false``, the hostname is
not canonicalized using DNS. If the hostname has only one component
@@ -50,11 +50,11 @@ not canonicalized using DNS. If the hostname has only one component
domain will be appended, if there is one. The **qualify_shortname**
variable can be used to override or disable this suffix.
-If **dns_canonicalize_hostname** is set to ``fallback`` (the default
-value in release 1.19 and later), the hostname is initially treated
-according to the rules for ``dns_canonicalize_hostname=false``. If a
-ticket request fails because the service principal is unknown, it the
-hostname will be canonicalized according to the rules for
+If **dns_canonicalize_hostname** is set to ``fallback`` (added in
+release 1.18), the hostname is initially treated according to the
+rules for ``dns_canonicalize_hostname=false``. If a ticket request
+fails because the service principal is unknown, the hostname will be
+canonicalized according to the rules for
``dns_canonicalize_hostname=true`` and the request will be retried.
In all cases, the hostname is converted to lowercase, and any trailing