Actually DNS domain->realm already always defaults to off: Date: Mon, 02 Jun 2003 17:51:56 -0400 From: Jeffrey Altman To: krbcore@mit.edu Subject: Default DNS REALM lookups in Kerberos 5 tree The default behavior of DNS REALM lookups in the Kerberos 5 tree is specified in auth/krb5/src/lib/krb5/os/locate_kdc.c This behavior is currently to return a consistent default value specified by the value of DEFAULT_LOOKUP_REALM regardless of whether or not the krb5.conf file exists. The behavior I described must have been removed by Ken Raeburn during the transition from release 1.1 to 1.2. The behavior of using a different value for a missing configuration file continues exist in the Windows Kerberos IV library. I suggest we leave things as is until the krb4 merger.