RFR 8029995: accept yes/no for boolean krb5.conf settings

Wang Weijun weijun.wang at oracle.com
Tue Jan 28 00:53:08 PST 2014

Please review the fix at


The supported boolean values in this fix cover what MIT krb5 does and we also added 'f'.

The old getBooleanValue() method returns true for “true” and false otherwise but the new method returns null if the value is not supported. I’ve carefully changed how the method is called to ensure maximum compatibility, but there is still one left:

We support DNS lookup for realm name by default, which means we do it if dns_lookup_realm is not set to false, or when unset, if dns_fallback is not set to false. Before this change, when dns_lookup_realm is set to “unknown”, it means false so DNS lookup is not performed. After this change, it’s equivalent to dns_lookup_realm unset, and dns_fallback is used. I think the current behavior is better than the old one.


More information about the security-dev mailing list