Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Rick van Rein <rick@openfortress.nl> Wed, 16 September 2015 07:26 UTC

Message-ID: <55F9198C.1040305@openfortress.nl>
Date: Wed, 16 Sep 2015 09:26:04 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <20150914170757.GC13284@localhost> <55F72B14.8030409@openfortress.nl> <55F7C40F.9000509@openfortress.nl> <55F86534.50109@mit.edu>
In-Reply-To: <55F86534.50109@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/26q3RZELTKQ2RO4F7cS3US-muVM>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
Precedence: list

>> So... it may be reasonable to assume that any KREALM client could work with multiple realms, because they will normally be KDCs.  And that'd mean we wouldn't need this priority or go-for-this-one flag.  Agreed?
> A KDC can only return one referral, so I'm not sure what it would do
> with multiple realms, with or without priorities.  Perhaps I'm missing
> something.
The referral that the KDC returns is one for which it succeeded to construct a TGT.  Having multiple realms gives an opportunity to try multiple paths in constructing that TGT.  I wouldn't be surprised if there are use cases that want to exploit this, even if it puts a strain on the client's KDC.

-Rick

[kitten] Finding Kerberos Realm Descriptors in se… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Martin Rex
Re: [kitten] Finding Kerberos Realm Descriptors i… Watson Ladd
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams