Re: [dnsext] New RRtype "KREALM" in draft-vanrein-dnstxt-krb1-02.txt

Mark Andrews <marka@isc.org> Thu, 03 September 2015 22:14 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8FEF1B3DE2 for <dnsext@ietfa.amsl.com>; Thu, 3 Sep 2015 15:14:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGzgWxx6Ab1w for <dnsext@ietfa.amsl.com>; Thu, 3 Sep 2015 15:14:18 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2B511B3CD2 for <dnsext@ietf.org>; Thu, 3 Sep 2015 15:14:17 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 417381FCBDE; Thu, 3 Sep 2015 22:14:14 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 7135B160052; Thu, 3 Sep 2015 22:15:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5FA3416008F; Thu, 3 Sep 2015 22:15:35 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qnV1z323PjCy; Thu, 3 Sep 2015 22:15:34 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 96A1A160052; Thu, 3 Sep 2015 22:15:34 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 8405236BD3C5; Fri, 4 Sep 2015 08:14:10 +1000 (EST)
To: Rick van Rein <rick@openfortress.nl>
From: Mark Andrews <marka@isc.org>
References: <55E868E8.6050504@openfortress.nl>
In-reply-to: Your message of "Thu, 03 Sep 2015 17:36:08 +0200." <55E868E8.6050504@openfortress.nl>
Date: Fri, 04 Sep 2015 08:14:10 +1000
Message-Id: <20150903221410.8405236BD3C5@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/avRiFe4NvQd6kKUY62s1FQw1aVo>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] New RRtype "KREALM" in draft-vanrein-dnstxt-krb1-02.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2015 22:14:19 -0000

If you only want the AD bit to be returned then set AD=1 in the
query not DO=1.  See RFC 6840.  Modern versions of DiG do this by
default.  If the resolver or the path to it is not trusted then you
need to specify DO=1 and perform local validation as you can't rely
on the AD bit.

Don't put the base64 in quotes.

Do specify that the base64 encoding may be broken up by white space
and may be over multiple lines using the standard DNS mechanisms
for doing this.  There is no need for it to be a single lexographic
token.  This needs to be clear as registrars stuffed up DS handling
by only coding for a single lexographic token in DS despite it being
specified as allowing multiple tokens.  Add some examples where the
base64 is split into multiple tokens.

Mark

In message <55E868E8.6050504@openfortress.nl>nl>, Rick van Rein writes:
> Hello,
> 
> I am working on an I-D that allocates a new RRtype in DNS, named
> KREALM.  This RR is meant to store Kerberos realm descriptions in DNS;
> this has hitherto been desired but impossible to do securely, but
> nowadays the broad acceptance of DNSSEC permits this facility.
> 
> Please let me know if you have any feedback or questions!
> 
> Cheers,
> 
> Rick van Rein
> for ARPA2.net
> 
> > A new version of I-D, draft-vanrein-dnstxt-krb1-02.txt
> > has been successfully submitted by Rick van Rein and posted to the
> > IETF repository.
> >
> > Name:		draft-vanrein-dnstxt-krb1
> > Revision:	02
> > Title:		Kerberos Realm Descriptors in DNS (KREALM)
> > Document date:	2015-09-03
> > Group:		Individual Submission
> > Pages:		15
> > URL:            https://www.ietf.org/internet-drafts/draft-vanrein-dnstxt-k
> rb1-02.txt
> > Status:         https://datatracker.ietf.org/doc/draft-vanrein-dnstxt-krb1/
> > Htmlized:       https://tools.ietf.org/html/draft-vanrein-dnstxt-krb1-02
> > Diff:           https://www.ietf.org/rfcdiff?url2=draft-vanrein-dnstxt-krb1
> -02
> >
> > Abstract:
> >    This specification defines methods to determine Kerberos realm
> >    descriptive information for services that are known by their DNS
> >    name.  Currently, finding such information is done through static
> >    mappings or educated guessing.  DNS can make this process more
> >    dynamic, provided that DNSSEC is used to ensure authenticity of
> >    resource records.
> >
> 
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org