Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: rdns default
RT-Send-CC:
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1073

This conversation would be better situated on the krbdev@mit.edu 
list, but I will answer here.

We absolutely think the rdns=true behavior is dumb and recommend 
turning it off.  But we also try very hard to make upgrades as 
painless as we can--especially on the client side, where they often 
happen as part of OS upgrades without anyone explicitly consenting 
and reading the release notes.  When we have floated the idea of 
changing the default, we got feedback that it would definitely affect 
some environments in a negative way:

http://mailman.mit.edu/pipermail/kerberos/2011-July/017313.html

The concern isn't so much that those particular environments would be 
adversely affected; anyone who is sufficiently informed could simply 
turn it on explicitly.  But we would undoubtedly surprise people who 
run similar environments and aren't on the kerberos@mit.edu list.

We have a rough design, but not a timeline, for getting rid of both 
forward and reverse canonicalization at the KDC's option:

http://mailman.mit.edu/pipermail/kerberos/2011-July/017313.html