Update README.md to clarify DNS setup requirements for Kerberos container

README.md

@@ -4,13 +4,29 @@ MIT Kerberos V KDC + admin server container running on Ubuntu 26.04.
 
 ## Prerequisites
 
-Kerberos is sensitive to hostname resolution. Before running this container:
+### DNS setup
 
-- `KRB5_KDC_HOST` must resolve to the container from every client machine (forward DNS or `/etc/hosts`).
+Kerberos is sensitive to hostname resolution. The following DNS records must be in place before starting the container.
-- The container's own hostname should match `KRB5_KDC_HOST` so that service tickets are issued for the correct principal. Set it with `--hostname` / the container runtime's hostname option.
-- Reverse DNS (PTR records) for the KDC host is strongly recommended — some Kerberos operations fail without it.
 
-DNS lookup of KDC addresses is disabled in the generated `krb5.conf` (`dns_lookup_kdc = false`); the value of `KRB5_KDC_HOST` is used directly instead.
+**Forward record** — resolves the KDC hostname to its IP address:
+
+```dns
+krb5.example.org.                IN  A               192.168.1.10
+_kerberos._tcp.example.org.      IN  SRV  1  0  88   krb5.example.org.
+_kerberos._udp.example.org.      IN  SRV  1  0  88   krb5.example.org.
+_kerberos-adm._tcp.example.org.  IN  SRV  1  0  749  krb5.example.org.
+_kpasswd._udp.example.org.       IN  SRV  1  0  464  krb5.example.org.
+```
+
+**Reverse record** — resolves the IP back to the hostname (required by some Kerberos operations):
+
+```dns
+10.1.168.192.in-addr.arpa.  IN  PTR  krb5.example.org.
+```
+
+The container's hostname must match `KRB5_KDC_HOST` exactly — it is set via the `hostname:` field in the compose file.
+
+**Note**: DNS-based KDC discovery (SRV records) is disabled for the server container in the generated configuration (`dns_lookup_kdc = false`), however it is required for clients to locate the KDC. The KDC hostname must be resolvable by clients via DNS or a local hosts file entry.
 
 ## Environment variables