From dd2027d24f8db650a8a1b8c1eee2a151429abc1c Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Sat, 16 May 2026 13:40:07 +0200
Subject: [PATCH] Update README.md to clarify DNS setup requirements for
 Kerberos container

---
 README.md | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 213f172..d4ae227 100644
--- a/README.md
+++ b/README.md
@@ -4,13 +4,29 @@ MIT Kerberos V KDC + admin server container running on Ubuntu 26.04.
 
 ## Prerequisites
 
-Kerberos is sensitive to hostname resolution. Before running this container:
+### DNS setup
 
-- `KRB5_KDC_HOST` must resolve to the container from every client machine (forward DNS or `/etc/hosts`).
-- The container's own hostname should match `KRB5_KDC_HOST` so that service tickets are issued for the correct principal. Set it with `--hostname` / the container runtime's hostname option.
-- Reverse DNS (PTR records) for the KDC host is strongly recommended — some Kerberos operations fail without it.
+Kerberos is sensitive to hostname resolution. The following DNS records must be in place before starting the container.
 
-DNS lookup of KDC addresses is disabled in the generated `krb5.conf` (`dns_lookup_kdc = false`); the value of `KRB5_KDC_HOST` is used directly instead.
+**Forward record** — resolves the KDC hostname to its IP address:
+
+```dns
+krb5.example.org.                IN  A               192.168.1.10
+_kerberos._tcp.example.org.      IN  SRV  1  0  88   krb5.example.org.
+_kerberos._udp.example.org.      IN  SRV  1  0  88   krb5.example.org.
+_kerberos-adm._tcp.example.org.  IN  SRV  1  0  749  krb5.example.org.
+_kpasswd._udp.example.org.       IN  SRV  1  0  464  krb5.example.org.
+```
+
+**Reverse record** — resolves the IP back to the hostname (required by some Kerberos operations):
+
+```dns
+10.1.168.192.in-addr.arpa.  IN  PTR  krb5.example.org.
+```
+
+The container's hostname must match `KRB5_KDC_HOST` exactly — it is set via the `hostname:` field in the compose file.
+
+**Note**: DNS-based KDC discovery (SRV records) is disabled for the server container in the generated configuration (`dns_lookup_kdc = false`), however it is required for clients to locate the KDC. The KDC hostname must be resolvable by clients via DNS or a local hosts file entry.
 
 ## Environment variables