From 2da88740651fa66bb28cb10fbb18dd5fd4956bc0 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Tue, 20 Mar 2012 21:45:43 +0100
Subject: [PATCH] Change back dns_lookup_kdc to the default

The specifications recommend against using TXT records to mapping
hostnames to realms. However they do not recommend against using
SRV records to lookup the KDC.

Change back to the MIT default of enabling DNS for KDC lookup.
This allows automatic configuration and failover.

A theoretical attack involving SRV records could be similarly
accomplished by a similar attack involving the A records for
the KDC hosts.
---
 krb5.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/krb5.conf b/krb5.conf
index 33ec1cc..b2e0a25 100644
--- a/krb5.conf
+++ b/krb5.conf
@@ -6,7 +6,6 @@
 [libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
- dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true