IETF Logo Mail Archive

Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?

Nathaniel McCallum <npmccallum@redhat.com> Tue, 17 May 2016 21:26 UTC

Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A83CC12D0BE for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 14:26:06 -0700 (PDT)
X-Quarantine-ID: <sMXXPsRUuh09>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up entirely of whitespace (char 09 hex): References: ...2432.9.camel@redhat.com>\n\t\n <54c900f2-399[...]
X-Spam-Flag: NO
X-Spam-Score: -8.326
X-Spam-Level:
X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMXXPsRUuh09 for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 14:26:01 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C844112DA0F for <kitten@ietf.org>; Tue, 17 May 2016 14:26:01 -0700 (PDT)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 89A5781129; Tue, 17 May 2016 21:26:01 +0000 (UTC)
Received: from vpn-55-135.rdu2.redhat.com (vpn-55-135.rdu2.redhat.com [10.10.55.135]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4HLQ0v9029025 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 17 May 2016 17:26:01 -0400
Message-ID: <1463520360.2432.46.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Jeffrey Altman <jaltman@secure-endpoints.com>, kitten@ietf.org
Date: Tue, 17 May 2016 17:26:00 -0400
In-Reply-To: <490bd7aa-81ca-9199-6687-222bb65caddf@secure-endpoints.com>
References: <1463500163.2432.9.camel@redhat.com> <54c900f2-399c-0ff0-c292-91baba495a21@secure-endpoints.com> <1463517801.2432.24.camel@redhat.com> <490bd7aa-81ca-9199-6687-222bb65caddf@secure-endpoints.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 17 May 2016 21:26:01 +0000 (UTC)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/0u0vCjgdWKAj_wEvMGB2IWDecCA>
Subject: Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 21:26:07 -0000

On Tue, 2016-05-17 at 17:08 -0400, Jeffrey Altman wrote:
> On 5/17/2016 4:43 PM, Nathaniel McCallum wrote:
> > We will need to add at least one more DNS query to support MS-KKDCP
> > (two if we have to treat http and https as separate queries). This
> > is
> > unavoidable. While it is true that this will result in a 50%
> > increase
> > in DNS queries, using my URI scheme means that a simple
> > administrator
> > configuration can turn this 50% increase into a 50% decrease in
> > queries
> > over the existing implementations. This is a win.
> 
> As an implementer I can tell you that it would be more than a decade
> before I would ever be able to remove existing lookup methods and
> possibly even longer than that.

I'm also an implementer. And I can tell you that when you remove the
code doesn't matter. All that matters is what happens at runtime. And
if we offer admins a way to cut their Kerberos DNS requests in half,
they'll take it.

> As a deployer of a realm I can tell you that I have no control over
> updates of Kerberos libraries in the clients.  Clients are deployed
> long
> after the 10 year lifetimes of the operating systems and new features
> such as this are not backported into prior OS distributions.
> As such I would be unable to rely upon URI as a replacement for SRV
> for
> more than 10 years.  I would be required to publish both URI and and
> SRV
> lookup records forever.

Agreed. But who cares? Clients that support the new method get
increased speed and functionality. Clients that don't, get the same
behavior they always had. The only cost for this on the DNS-side of the
equasion is an additional record -- one which we need anyway.

> You have described a reason why URI lookups are necessary for MS-
> KKDCP.
> Please restrict your draft to that case.

I've described a reason why a URI record lookup is requied for MS-
KKDCP. However, I've also described a system which presents a 50%
reduction in DNS lookups. I don't see any reason to neglect this second
feature.

v2.23.0 | Report a Bug | By Email