Re: [dnsext] New RRtype "KREALM" in draft-vanrein-dnstxt-krb1-02.txt

"Patrik Fältström " <paf@frobbit.se> Sun, 13 September 2015 14:17 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6B3B1B2B55 for <dnsext@ietfa.amsl.com>; Sun, 13 Sep 2015 07:17:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.838
X-Spam-Level: *
X-Spam-Status: No, score=1.838 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_SE=0.35, J_CHICKENPOX_54=0.6, J_CHICKENPOX_74=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNm2id60x4zr for <dnsext@ietfa.amsl.com>; Sun, 13 Sep 2015 07:17:19 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80B481B2B49 for <dnsext@ietf.org>; Sun, 13 Sep 2015 07:17:19 -0700 (PDT)
Received: from [172.20.8.159] (rrcs-74-87-33-234.west.biz.rr.com [74.87.33.234]) by mail.frobbit.se (Postfix) with ESMTPSA id 8D44020203; Sun, 13 Sep 2015 16:17:16 +0200 (CEST)
From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" <paf@frobbit.se>
To: "Rick van Rein" <rick@openfortress.nl>
Date: Sun, 13 Sep 2015 07:17:14 -0700
Message-ID: <8A56371C-2D1C-4E22-B543-5AA2A0C9C04A@frobbit.se>
In-Reply-To: <55F2B555.4050105@openfortress.nl>
References: <55E868E8.6050504@openfortress.nl> <alpine.LSU.2.00.1509081536450.734@hermes-2.csi.cam.ac.uk> <55F2A5CC.1080409@openfortress.nl> <alpine.LSU.2.00.1509111115410.29599@hermes-2.csi.cam.ac.uk> <55F2B555.4050105@openfortress.nl>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_A79E5803-8954-4F04-8D69-9F745ED72BD3_="; micalg=pgp-sha1; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/er8B35D98IPL_anR5jmWtEo40WE>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] New RRtype "KREALM" in draft-vanrein-dnstxt-krb1-02.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2015 14:17:20 -0000

On 11 Sep 2015, at 4:04, Rick van Rein wrote:

> HINFO uses precisely 2 strings, with KREALM it'd be variable, but could be done with something like
>
> @ IN KREALM ( "realm=EXAMPLE.COM" "realm=EXAMPLE.ORG"
>    admin=carl "admin=mary"
>    service=HTTP "service=imap" )

Can you explain what you try to express with the statement above? Specifically when two attribute/value pairs are not quoted, but others are.

And be VERY specific and explain what data whoever has that looks up this record. What data do the party have and what data do the party want.

What we have somewhat bad experience with is to have selections made on the RDATA side of resource records (see NAPTR) and instead (as laid out in RFC5507 and RFC6950).

It sounds to me that the one looking for the record know it has domain name and service and looks for realm and admin? Where the two last ones can be multiple. Or is the service also unknown and one want to know what services orb can be used? A subset of services available at this domain?

In the draft I see:

   Two mappings are needed for the given scenario.  One is a mapping
   from the FQDN of a service to its realm name; the other is a mapping
   from the realm name to the Kerberos-specific services such as the
   KDC.  The latter mapping is published in SRV records [RFC4120] and
   such traffic is protected by the Kerberos protocol itself.  The first
   mapping however, has hitherto not been standardised and is ill-
   advised over unsecured DNS because the published information is then
   neither validated by DNS nor does it lead to a protocol that could
   provide end-to-end validation for it.

I though service+fqdn -> realm was using SRV, but the text here say that that is what you try to fix with this new spec. Or is my english failing me?

   Patrik