Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
Content-Length: 2311

<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>gss-krb5 when passed a two component acceptor name passes the second component to getaddrinfo() to canonicalize it.   While it is often the case that the second component of a service name is a hostname, it is not always a hostname.   The afs rxgk security class service name is of the form</p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>   afs-rxgk/_afs.&lt;cellname&gt;</p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Names that begin with an underscore are not valid DNS hostnames and should not be passed to getaddrinfo() which will happily issue a query which cannot be successfully resolved.  Underscores are valid for SRV and TXT records.  They are not valid for A/AAAA/CNAME lookups as performed by getaddrinfo().</p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Kerberos should validate the names passed to getaddrinfo() to avoid unnecessary network queries and timeouts.</p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>A valid host name only consists of [a-z]{A-Z][0-9] and the hyphen ‘-‘.  </p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p></div></body></html>