I am specifically referring to validation of Kerberos tickets using information gained through non-secured DNS. That's broken. DNS is easily spoofed or otherwise fooled into giving out incorrect information.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITSS/TSS/Computing Systems ITSS/TSS/Infrastructure Operations Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html