JDK-8077102 : dns_lookup_realm should be false by default
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2015-04-07
  • Updated: 2017-05-17
  • Resolved: 2015-05-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8 JDK 9
6-poolResolved 7u91Fixed 8u60Fixed 9 b66Fixed
Related Reports
Relates :  
Relates :  
Sub Tasks
JDK-8080639 :  
Description
JDK-6552334 called for enabling DNS in Kerberos by default, but it was only meant for the dns_lookup_kdc option. The code change mistakenly changed default values for both dns_lookup_kdc and dns_lookup_realm. This should be fixed.

MIT krb5 has dns_lookup_kdc being true and dns_lookup_realm false by default [1]. In more recent versions they no longer document this option at all but the default value is still false.

[1] http://web.mit.edu/kerberos/krb5-1.10/krb5-1.10/doc/krb5-admin.html#libdefaults
Comments
release-note: The dns_lookup_realm setting in Kerberos' krb5.conf file is default to be false.
19-05-2015