IETF Logo Mail Archive

Re: [dnsext] New RRtype "KREALM" in draft-vanrein-dnstxt-krb1-02.txt

Rick van Rein <rick@openfortress.nl> Fri, 11 September 2015 11:14 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7A771B3B16 for <dnsext@ietfa.amsl.com>; Fri, 11 Sep 2015 04:14:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCdC20-ogQuW for <dnsext@ietfa.amsl.com>; Fri, 11 Sep 2015 04:14:39 -0700 (PDT)
Received: from lb3-smtp-cloud2.xs4all.net (lb3-smtp-cloud2.xs4all.net [194.109.24.29]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFF131B3447 for <dnsext@ietf.org>; Fri, 11 Sep 2015 04:14:38 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id FnEb1r00c10HQrX01nEcmV; Fri, 11 Sep 2015 13:14:37 +0200
Message-ID: <55F2B79A.3010701@openfortress.nl>
Date: Fri, 11 Sep 2015 13:14:34 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Tony Finch <dot@dotat.at>
References: <55E868E8.6050504@openfortress.nl> <alpine.LSU.2.00.1509081536450.734@hermes-2.csi.cam.ac.uk> <55F2A5CC.1080409@openfortress.nl> <alpine.LSU.2.00.1509111115410.29599@hermes-2.csi.cam.ac.uk> <55F2B555.4050105@openfortress.nl> <alpine.LSU.2.00.1509111207110.20720@hermes-2.csi.cam.ac.uk>
In-Reply-To: <alpine.LSU.2.00.1509111207110.20720@hermes-2.csi.cam.ac.uk>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/zzI1MQLlvhstCoL1sKs_oIEPQIY>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] New RRtype "KREALM" in draft-vanrein-dnstxt-krb1-02.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2015 11:14:43 -0000

Hi Tony,

Thanks for thinking along!

> I was thinking
>
> @ KREALM "realm" "EXAMPLE.COM"
> KREALM "realm" "EXAMPLE.ORG"
> KREALM "admin" "carl"
> KREALM "admin" "mary"
> KREALM "service" "HTTP"
> KREALM "service" "imap"

That would make it impossible to express everything that is desired. 
The level of alternation that you are using here has been reserved for
independent statements; the combined tag=value statements form a
cross-product; for example all the realms mentioned combine with all the
admins mentioned in the same RDATA portion.  If another realm has
another admin set it will be specified in a separate KREALM.

This is why I end up with a variable list of tag=value assignments under
one KREALM, and as explained that strikes me as an oddball solution in
DNS.  Do you agree?

Note that more base64 data is incorporated into DNS already, for
instance certificates (where, I admit, there is no choice due to the
tightness of the signatures).

-Rick

v2.23.0 | Report a Bug | By Email