[jdev] GSSAPI and service hostname

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Thu Jan 15 11:09:41 CST 2009

On Thursday 15 January 2009 08:51:30 Peter Saint-Andre wrote:
> As we discussed in the jdev room yesterday, I think you would use the
> machine-name that you discovered via SRV lookup:
> http://logs.jabber.org/jdev@conference.jabber.org/2009-01-14.html#16:01:06

Yes, this is the consensus.

There is, however, some worry about DNS-based attacks, since the connect host 
is derived insecurely through the SRV lookup.  One obvious but totally 
impractical fix is to use DNSSEC.  Another is to use XEP-233.  Yet another is 
to offer some explicit trust mechanisms in the client (e.g. a field where the 
user can type the connect host in advance, to mark as trusted).


More information about the JDev mailing list