IETF Logo Mail Archive

Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?

Jeffrey Altman <jaltman@secure-endpoints.com> Tue, 17 May 2016 16:25 UTC

Return-Path: <prvs=1945b5244a=jaltman@secure-endpoints.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D699412D707 for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 09:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=secure-endpoints.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KoxzLiZ8rlj7 for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 09:25:38 -0700 (PDT)
Received: from sequoia-grove.secure-endpoints.com (sequoia-grove.ad.secure-endpoints.com [208.125.0.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C35B12D6FC for <kitten@ietf.org>; Tue, 17 May 2016 09:25:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=secure-endpoints.com; s=MDaemon; t=1463502315; x=1464107115; i=jaltman@secure-endpoints.com; q=dns/txt; h=VBR-Info:Subject:To: References:From:Openpgp:Organization:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type; bh=pltK8rt4hNfGd4msidAWgn rX9Osoe6ueU+lb9sCRgaI=; b=a6NFE3+ZaRClxTP01fTwmo2SCkeRuokp3sOFH0 p7il53i7PGGz15p0OeDC3dKBJWX4+6E3h/rBrClPO33d4T78ePW9u42JEfs7dGAY M4lvMaT8Mn8Z9NrSDeSOoLLrGb+AfST7uMTDb6QYt1OWBVFqlKjKxVsVXcFJntq2 5gWJ0=
X-MDAV-Result: clean
X-MDAV-Processed: sequoia-grove.secure-endpoints.com, Tue, 17 May 2016 12:25:15 -0400
X-Spam-Processed: sequoia-grove.secure-endpoints.com, Tue, 17 May 2016 12:25:15 -0400
Received: from [x.x.x.x] by secure-endpoints.com (Cipher TLSv1:AES-SHA:256) (MDaemon PRO v16.0.2) with ESMTPSA id md50001089424.msg for <kitten@ietf.org>; Tue, 17 May 2016 12:25:14 -0400
VBR-Info: md=secure-endpoints.com; mc=all; mv=vbr.emailcertification.org;
X-MDRemoteIP: 208.125.0.246
X-MDArrival-Date: Tue, 17 May 2016 12:25:14 -0400
X-Authenticated-Sender: jaltman@secure-endpoints.com
X-Return-Path: prvs=1945b5244a=jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kitten@ietf.org
To: kitten@ietf.org
References: <1463500163.2432.9.camel@redhat.com>
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Openpgp: id=FA444AF197F449B24CF3E699F77A735592B69A04; url=http://pgp.mit.edu
Organization: Secure Endpoints Inc.
Message-ID: <54c900f2-399c-0ff0-c292-91baba495a21@secure-endpoints.com>
Date: Tue, 17 May 2016 12:25:10 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <1463500163.2432.9.camel@redhat.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030508040400040104020901"
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/7-JHZAK-sXJ3n7_zgB47WUcB6Z0>
Subject: Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 16:25:40 -0000

On 5/17/2016 11:49 AM, Nathaniel McCallum wrote:
> https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery
> -02
> 
> I'd like to propose adoption of this draft:
> 
> 1. It is in the scope of the WG. This is an extension to the discovery
> methods already defined in RFC 4120.
> 
> 2. It is beneficial. It provides both speed improvments and additional
> functionality (discovery of MS-KKDCP proxies).
> 
> 3. It is small. It avoids defining new: DNS names, DNS semantics, URIs,
> or transport semantics. It simply combines the existing tools in a
> fairly obvious way.
> 
> Thoughts?
> 

Having read the draft I am totally unclear how it is implemented.

  _kerberos.REALM

is not a valid DNS URI record name.  To translate the URI

  https://host[:port][path]

to an URI record requires

 _kerberos._https.host

not

 _kerberos.host

DNS URI records according to RFC 7553 work just like DNS SRV records in
that they require both a service name and a protocol name.  Switching to
URI records does not solve the problem of multiple DNS queries.

To find a KDC that supports https, use the DNS SRV record

  _kerberos._https.REALM

registering additional service types such as "kpasswd" can be done but
the fact is implementations such as Heimdal already perform SRV lookups for

 _kpasswd,_tcp.REALM and _kpasswd._udp.REALM

Can you make a case for something that DNS URI records provides that DNS
SRV records do not?

The introduction of DNS URI records will only mean that in practice that
Kerberos client libraries will need to issue the DNS URI queries in
addition to the existing DNS SRV records.

Jeffrey Altman

v2.23.0 | Report a Bug | By Email