IETF Logo Mail Archive

Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Rick van Rein <rick@openfortress.nl> Tue, 15 September 2015 07:08 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0CF21B379A for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 00:08:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W7lS1Jnmqnbu for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 00:08:48 -0700 (PDT)
Received: from lb1-smtp-cloud2.xs4all.net (lb1-smtp-cloud2.xs4all.net [194.109.24.21]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8B121ACF19 for <kitten@ietf.org>; Tue, 15 Sep 2015 00:08:47 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id HK8k1r00A10HQrX01K8lrc; Tue, 15 Sep 2015 09:08:45 +0200
Message-ID: <55F7C3FA.5090802@openfortress.nl>
Date: Tue, 15 Sep 2015 09:08:42 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: "kitten@ietf.org" <kitten@ietf.org>
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl>
In-Reply-To: <55F6F843.2070609@openfortress.nl>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/4w_qhAsvkfOjQl4Ladwi_xhrDEo>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 07:08:50 -0000

Interesting :)

While talking on DNSEXT, the complexity of KREALM started to explode, and that's why I came up with use cases as a guideline.  What you're now telling me is that there is only one real problem for Kerberos (to which I agree) and that the rest is not specific to Kerberos (which I hadn't realised yet, but agree with too).

So, time to simplify.  What we're now looking it is a very simple KREALM record that says stuff like

www.example.org.  IN KREALM  "EXAMPLE.ORG"
                  IN KREALM "EXAMPLE.COM"

if it wants to state the Kerberos realms to consider for the DNS name www.example.com.  As a freebe, we're also getting the possibility to say

example.org.  IN KREALM "EXAMPLE.ORG"

so we now how to spell the DNS-name's realm in proper case.  But although that's defined (somewhere) as missing-because-not-secure, it is not actually necessary for Kerberos to function.  Which is true.

I'm also pulling back my thought on permitting the more complicated use cases, because you've convinced me that this is not Kerberos-specific stuff.

I want to rethink offline how I got to the current proposal, because I think I originally started with precisely this...

> I would also drop the zone apex business.

I definately won't define iteration that passes through the zone apex because the DNSKEY switch makes that a security problem, but I can agree to not iterating at all.  In that case, we'd simply have to specify a KREALM record next to each server name.  Still, that's quite acceptable I think, even if it replicates data in multiple places of a zone; by now I'm convinced that the alternative adds too much complexity.  And at least the records got simple again :)

FWIW, wildcards won't work to define KREALM for all servers in a zone -- a server will have an AAAA or A or SRV record for the server's hostname, which interferes with a matching wildcard.

If you guys are happy with this, I will redraft and post it here and return to DNSEXT.

Thanks for the fireworks ;-)
 -Rick

v2.23.0 | Report a Bug | By Email