IETF Logo Mail Archive

Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Nico Williams <nico@cryptonector.com> Thu, 17 September 2015 19:40 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6739D1A897B for <kitten@ietfa.amsl.com>; Thu, 17 Sep 2015 12:40:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XuQwppHDUQcD for <kitten@ietfa.amsl.com>; Thu, 17 Sep 2015 12:40:53 -0700 (PDT)
Received: from homiemail-a103.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1A76D1A710C for <kitten@ietf.org>; Thu, 17 Sep 2015 12:40:53 -0700 (PDT)
Received: from homiemail-a103.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTP id C4CA72005E62D; Thu, 17 Sep 2015 12:40:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=T5x548Gxwjbc8/ 3ghs6g5/2wSn4=; b=oarh95PdrExcvJLAxLFOUr3BVkVhJEArQwoZN9D8czPGtR teXswyDqCpxKFbqFvZV10O/8x0CkqvIU1iS033NDPfqtMjh0EzRjhPALAh850nP/ skeY2zD+9YMl6pFKSp1LnJUUSSm0F9jZbNBa9fX1iMX3avS0wq+Tovl2mMIPQ=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTPA id 5F7832005E62C; Thu, 17 Sep 2015 12:40:52 -0700 (PDT)
Date: Thu, 17 Sep 2015 14:40:51 -0500
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>
Message-ID: <20150917194050.GV13294@localhost>
References: <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <55F7C3FA.5090802@openfortress.nl> <20150915073030.GD21942@mournblade.imrryr.org> <55F7CB98.6060300@openfortress.nl> <20150915144724.GJ21942@mournblade.imrryr.org> <55F9118C.3050407@openfortress.nl> <20150916180843.GA21942@mournblade.imrryr.org> <55FA6FB4.3080307@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55FA6FB4.3080307@openfortress.nl>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/EA7nIgfVr_9dW69wCXMtpMI5b2o>
Cc: kitten@ietf.org
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 19:40:54 -0000

On Thu, Sep 17, 2015 at 09:45:56AM +0200, Rick van Rein wrote:
> 5. The current implementation of TXT does not take DNSSEC into account,
> meaning that its existence is not going to be of as much use as we'd
> like to think.  IOW, we'd still be imposing restrictions on KDCs,
> probably in terms of their default settings.

Well, no, the client can and should onlye use TXT RRs for this that have
been validated.  One could use TLSA RRs without DNSSEC -- it makes
little sense, but the point is that the same is true for TXT RRs for
host-to-realm lookups.

> 6. As for i18n, we might use DNS' approach for it and let Kerberos
> simply use the xn-- names internally.  I cannot imagine that this would

This... is a large subject that we should not broach in this context.

That said (heh) I think the right answer is to consider DOMAIN-style
realm names as having multiple alias forms such that a) they are
case-insensitive (at least as to ASCII labels), b) A-labels are aliases
of the corresponding U-labels.  Clients and services should internally
canonicalize to up-cased Unicode forms wherever possible (with
configurable exceptions, as there are ASCII lower-case realm names in
production use) for name-based authorization compatibility reasons.
Finally, we can then either bite the KerberosString bullet or leave it
for later by using A-labels in KerberosString domainname slots.

> 7. Something I don't know is whether and how the KDC distinguishes realm
> name styles.  In the above I've assumed that it is tagged, and that end

By the presence/absence of ':' in the name.  No realm-type value is
explicitly encoded in any Kerberos PDU.

> user tools also get to see these tags.  If not, there might be a few
> more problems lurking, and things to configure manually, with sane defaults.

No problems lurk here, thankfully.

> I suppose KREALM is hereby history, so we would be making a choice
> between TXT and PTR.  My vote is now on PTR, with the aforementioned
> implications of i18n and making the KDC look at the realm's naming style
> before it decides how to compare (or have per-realm configurable
> comparison rules).  The break with implemented but never-standardised
> TXT records is IMHO warranted because we are relying on DNSSEC which is
> an extra responsibility for the KDC that goes beyond TXT anyway.

TXT to Informational.  PTR to Proposed Standard.  That's my preference.

Nico
--

v2.23.0 | Report a Bug | By Email