krb5.conf(5): New block_dns option.

Documented and verified, not yet implemented.
2023-06-09 00:06:32 +00:00
parent 42e23b1777
commit fa4c4430f6
2 changed files with 4 additions and 0 deletions
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -199,6 +199,9 @@ The default is the result of
 .It Li allow_weak_crypto = Va boolean
 are weak crypto algorithms allowed to be used, among others, DES is
 considered weak.
+.It Li block_dns = Va boolean
+If true, prevent Heimdal from doing any DNS resolution.
+Default is false.
 .It Li clockskew = Va time
 Maximum time differential (in seconds) allowed when comparing
 times.
--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -395,6 +395,7 @@ struct entry v4_name_convert_entries[] = {
 struct entry libdefaults_entries[] = {
    { "accept_null_addresses", krb5_config_string, check_boolean, 0 },
    { "allow_weak_crypto", krb5_config_string, check_boolean, 0 },
+    { "block_dns", krb5_config_string, check_boolean, 0 },
    { "capath", krb5_config_list, all_strings, 1 },
    { "ccapi_library", krb5_config_string, NULL, 0 },
    { "check_pac", krb5_config_string, check_boolean, 0 },