On 14/08/2022 15:57, Paul Wouters wrote:
On Aug 14, 2022, at 09:16, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: but otherwise stuff works fine even if it can sometimes be confusing as to how kerberos realms and DNS domains do or don't mapto one another.But that’s because foo.example in DNS maps to FOO.EXAMPLE in Kerberos in most deployments.
I don't believe "because" is correct. I've seen many kerberos realm names that don't map well to DNS domains. Stuff still works. That said, I've not seen any measurement study on the topic.
let’s say I get COCA-COLA.COM, that’s quite a different situation. We can have all the clever mappings for DNS to support alternative backend systems, but in the end the real issue is that “issued names” in the DNS world won’t map to alternative owners. The only way to guarantee that is to carve out some strings. But it will be unpopular strings because the popular ones are taken or reserved.
My point here is that the Internet can survive two widely- deployed standards with potentially conflicting uses of the same names with no need for a guarantee that there's any particular relationship between some DNS domain and kerberos realm. (And again, I'm not saying that that "solves the problem" - all I'm saying is that invalidates some of the more "absolutist" arguments I've seen used.) I'm fine that we carve out a .alt or similar and that ICANN carve out a .internal or similar, as both make sense. Cheers, S.
Paul
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
