+2002-09-20 Ken Raeburn <raeburn@mit.edu>
+
+ * admin.texinfo, dnssrv.texinfo: Documented config file variables
+ and SRV records to use for Kerberos TCP service, if it's enabled,
+ which it isn't by default. Removed UDP port 750 from the DNS SRV
+ recommendations.
+
2002-09-20 Jen Selby <jenselby@mit.edu>
* Makefile: made the list of manpages a variable
@table @b
@itemx kdc_ports
This relation lists the ports on which the Kerberos server should
-listen by default. This list is a comma separated list of integers.
+listen for UDP requests by default. This list is a comma separated
+list of integers.
If this relation is not specified, the compiled-in default is
@value{DefaultKdcPorts}, the first being the assigned Kerberos port
and the second which was used by Kerberos V4.
+@itemx kdc_tcp_ports
+This relation lists the ports on which the Kerberos server should
+listen for TCP connections by default. This list is a comma separated
+list of integers.
+If this relation is not specified, the compiled-in default is not to
+listen for TCP connections at all.
+
+If you wish to change this (which we do not recommend, because the
+current implementation has little protection against denial-of-service
+attacks), the standard port number assigned for Kerberos TCP traffic
+is port 88.
+
@itemx v4_mode
This string specifies how the KDC should respond to Kerberos 4
packets. The possible values are none, disable, full, and nopreauth.
Kerberos realm.
@itemx kdc_ports
-(String.) Specifies the list of ports that the KDC is to listen to for
-this realm. By default, the value of kdc_ports as specified in the
-[kdcdefaults] section is used.
+(String.) Specifies the list of ports that the KDC is to listen to
+for UDP requests for this realm. By default, the value of kdc_ports
+as specified in the [kdcdefaults] section is used.
+
+@itemx kdc_tcp_ports
+(String.) Specifies the list of ports that the KDC is to listen to
+for TCP requests for this realm. By default, the value of
+kdc_tcp_ports as specified in the [kdcdefaults] section is used.
@itemx master_key_name
(String.) Specifies the name of the principal associated with the
@table @code
@item _kerberos._udp
-This is for contacting any KDC. This entry will be used the most
-often. Normally you should list ports @value{DefaultKdcPorts} on each
-of your KDCs.
+This is for contacting any KDC by UDP. This entry will be used the most
+often. Normally you should list port 88 on each of your KDCs.
+@c Don't encourage continued use of port 750 for krb5.
+@c It should be only for backwards compatibility with krb4.
+@c Do the Mac/Windows krb4 libraries use this DNS entry?
+@c The UNIX code does not.
+
+@item _kerberos._tcp
+This is for contacting any KDC by TCP. The MIT KDC by default will not
+listen on any TCP ports, so unless you've changed the configuration or
+you're running another KDC implementation, you should leave this
+unspecified. If you do enable TCP support, normally you should use
+port 88.
@item _kerberos-master._udp
This entry should refer to those KDCs, if any, that will immediately see