Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual page 866

The name of an SRV record, as far as Kerberos is concerned, is always in the format
_service._proto.realm, where realm is the Kerberos realm. Domain names in
DNS are case insensitive, so case-sensitive Kerberos realms would break when using
this configuration method. _service is a service name (different names are used
when trying to contact the KDC or the password service, for example). _proto can
be either _udp or _tcp, but not all services support both protocols.
The data portion of SRV resource records consists of a priority value, a weight, a port
number, and a hostname. The priority defines the order in which hosts should be tried
(lower values indicate a higher priority). The weight is there to support some sort of
load balancing among servers of equal priority. You probably do not need any of this,
so it is okay to set these to zero.
MIT Kerberos currently looks up the following names when looking for services:
_kerberos
This defines the location of the KDC daemon (the authentication and ticket granting
server). Typical records look like this:
_kerberos._udp.EXAMPLE.COM.
_kerberos._tcp.EXAMPLE.COM.
_kerberos-adm
This describes the location of the remote administration service. Typical records
look like this:
_kerberos-adm._tcp.EXAMPLE.COM. IN
Because kadmind does not support UDP, there should be no _udp record.
As with the static configuration file, there is a mechanism to inform clients that a spe-
cific host is in the EXAMPLE.COM realm, even if it is not part of the example.com
DNS domain. This can be done by attaching a TXT record to _keberos.hostname,
as shown here:
_keberos.www.foobar.com.
848 Installation and Administration
IN SRV 0 0 88 kdc.example.com.
IN SRV 0 0 88 kdc.example.com.
SRV
IN TXT "EXAMPLE.COM"
0 0 749 kdc.example.com.