IETF Logo Mail Archive

Re: [kitten] Kerberos Service Discovery using DNS

Greg Hudson <ghudson@mit.edu> Tue, 24 March 2015 14:20 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341631A875C for <kitten@ietfa.amsl.com>; Tue, 24 Mar 2015 07:20:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rYQQiceFTysH for <kitten@ietfa.amsl.com>; Tue, 24 Mar 2015 07:20:06 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C28C1A8755 for <kitten@ietf.org>; Tue, 24 Mar 2015 07:20:05 -0700 (PDT)
X-AuditID: 12074423-f79536d000000e74-26-55117294191b
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id E1.1E.03700.49271155; Tue, 24 Mar 2015 10:20:04 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t2OEK38J032583; Tue, 24 Mar 2015 10:20:04 -0400
Received: from [18.101.8.223] (vpn-18-101-8-223.mit.edu [18.101.8.223]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2OEK1Zg024944 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 24 Mar 2015 10:20:02 -0400
Message-ID: <55117291.2040002@mit.edu>
Date: Tue, 24 Mar 2015 10:20:01 -0400
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Nathaniel McCallum <npmccallum@redhat.com>, Petr Spacek <pspacek@redhat.com>
References: <1425578271.2715.5.camel@redhat.com> <551121EE.1070300@redhat.com> <1427200587.29553.0.camel@redhat.com>
In-Reply-To: <1427200587.29553.0.camel@redhat.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLIsWRmVeSWpSXmKPExsUixG6nrjulSDDU4OImQ4ujm1exWMz9OovV 4smRfiYHZo8lS34yebzfd5UtgCmKyyYlNSezLLVI3y6BK+Pq6rPsBWv5Krqa9jI2MJ7g7mLk 5JAQMJGYceA+E4QtJnHh3nq2LkYuDiGBxUwS7+f8ZoFwNjJKzDuwBSpzhEli0a2ZzCAtvAJq Ei8nbWUHsVkEVCW2nVgENopNQFli/f6tLCC2qECYxOx1Fxkh6gUlTs58AhYXEYiUWPeglxXE ZhYQlriwfS+YLSxgJbF54xKgeg6gZaUSd4/xg4Q5BYwkvu++DFWuLvFn3iVmCFteonnrbOYJ jIKzkGyYhaRsFpKyBYzMqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3TN9HIzS/RSU0o3MYJD2UV5 B+Ofg0qHGAU4GJV4eAOWCIQKsSaWFVfmHmKU5GBSEuWd7iQYKsSXlJ9SmZFYnBFfVJqTWnyI UYKDWUmEV1gFKMebklhZlVqUD5OS5mBREufd9IMvREggPbEkNTs1tSC1CCYrw8GhJMFbVQjU KFiUmp5akZaZU4KQZuLgBBnOAzR8CkgNb3FBYm5xZjpE/hSjopQ4byFIQgAkkVGaB9cLSzWv GMWBXhHmfV0AVMUDTFNw3a+ABjMBDT6XzwcyuCQRISXVwLi+NUL6j2F8jVkcW3S/4xntRzoK H2okDi/kiZ+7yDNOx9ZS7lLo02nf/XpZ2bpFer8f84+9O/n+33sVNv//v4rcszaUb9n3oFy3 7aVM/rYvQu496Oaq4esullJojK5ffcu0z/1H6kvzbxcqOSfxbFRiiEqws3EvrJiwt/vOq0OP dzRVH2X+osRSnJFoqMVcVJwIAJOoQUcQAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/1g5beMvbL9mW0tUFEdYwsh7-6-A>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 14:20:08 -0000

On 03/24/2015 08:36 AM, Nathaniel McCallum wrote:
> On Tue, 2015-03-24 at 09:35 +0100, Petr Spacek wrote:
>> It seems like a good idea to standardize _kerberos-master URI record 
>> too (with
>> semantics equal to the one described on
>> http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/realm_config.html).

> I *think* this might be MIT specific. Maybe Greg can answer that?

It does look like only MIT krb5 implements it.

The semantics of _kerberos-master are "these addresses represent KDCs
(usually just one) which are more up to date than the other KDCs in the
realm, so retry with one of these if your first try fails for most
reasons."  In some realms the master KDC isn't one of the regular KDCs,
in order to shed the majority of the load from the KDC which is also
running kadmind.

These semantics are not generally needed for a realm with fast
replication (iprop with low polling delay, LDAP, etc.), but there are
enough realms with slow replication that we're not about to discard
those semantics.

It might be good if master KDC entries could be obtained in the same DNS
lookup as regular KDC entries, but none of the ways I can think of to do
it are particularly elegant.  We would need to be able to annotate each
URI with "this is also a master KDC" or "this is only a master KDC".
Shoving that tri-state into each URI scheme wouldn't be very elegant;
designating magic priority values for the URI record would be a layering
violation.  It's not really a big deal if a second DNS lookup is needed
for the fallback.

I have no strong opinion on whether the discovery standard needs to talk
about this.  MIT krb5 can always continue to implement it as a
non-standardized feature, using the same lookup behavior as the
_kerberos URI record but with the label changed to _kerberos-master.

v2.23.0 | Report a Bug | By Email