IETF Logo Mail Archive

Re: [kitten] Review of draft-ietf-kitten-krb-service-discovery-00

Benjamin Kaduk <kaduk@mit.edu> Tue, 11 April 2017 04:53 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB25F1289C3 for <kitten@ietfa.amsl.com>; Mon, 10 Apr 2017 21:53:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnxE7DM2TXsf for <kitten@ietfa.amsl.com>; Mon, 10 Apr 2017 21:53:05 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC059124234 for <kitten@ietf.org>; Mon, 10 Apr 2017 21:53:05 -0700 (PDT)
X-AuditID: 12074424-733ff700000015d3-b7-58ec612fd865
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 6B.46.05587.F216CE85; Tue, 11 Apr 2017 00:53:03 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id v3B4r22i028401; Tue, 11 Apr 2017 00:53:02 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v3B4qvZD017166 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 11 Apr 2017 00:53:00 -0400
Date: Mon, 10 Apr 2017 23:52:57 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Cc: Matt Rogers <mrogers@redhat.com>, kitten@ietf.org
Message-ID: <20170411045257.GY30306@kduck.kaduk.org>
References: <x7dzige39sj.fsf@equal-rites.mit.edu> <CAAeFVfwexk8THERJZ5Qm+sTB+FVMWsRSOXninGFmMWehzwiz-A@mail.gmail.com> <2ccb915d-4a10-1ced-d8c8-298e1aec6373@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2ccb915d-4a10-1ced-d8c8-298e1aec6373@mit.edu>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrEIsWRmVeSWpSXmKPExsUixG6nrquf+CbCYOZZWYujm1exWNyfGOfA 5LFkyU8mj/f7rrIFMEVx2aSk5mSWpRbp2yVwZRyYq1XwVq1i0cILbA2Ml+W6GDk4JARMJFrf WnUxcnEICbQxSTT8PM3UxcgJ5GxklPjw2AYicZVJ4tvGVYwgCRYBVYmTO8+zgdhsAioSDd2X mUFsEQFFiWer5rKA2MwCphIfPt4DqxEW8JJ4PGUpC8gyXqBlM1YJQsxcySixYdY0sBpeAUGJ kzOfQPVqSdz495IJpJ5ZQFpi+T8OEJNTwFpixe1okApRAWWJhhkPmCcwCsxC0jwLSfMshOYF jMyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdM31cjNL9FJTSjcxgoPTRWUHY3eP9yFGAQ5GJR5e ibLXEUKsiWXFlbmHGCU5mJREeQNmAoX4kvJTKjMSizPii0pzUosPMUpwMCuJ8DpEv4kQ4k1J rKxKLcqHSUlzsCiJ84prNEYICaQnlqRmp6YWpBbBZGU4OJQkeKUSgBoFi1LTUyvSMnNKENJM HJwgw3mAhs+IBxleXJCYW5yZDpE/xajL8W7ph/dMQix5+XmpUuK8XiBFAiBFGaV5cHNASUUi e3/NK0ZxoLeEeQ+CrOMBJiS4Sa+AljABLTmz6yXIkpJEhJRUA+N8J9cDnJPVbJlVD2RwbD32 9N2rL6eSJr9OjTjUtL39xnTXc0tWXFnTvXt9wJVamdw7u/5nPNxxUK/332G2nZwLp3Qa2Bl1 ZgsteC7F7Zmwc2IP294H7rHf5671UrwX2VBh8iLh1CMFp8u97S/3NO3zn2bm3/rNxIbhZ9q6 V3vuZyZs61nqzXBEiaU4I9FQi7moOBEAQQ+syQUDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/EoNXketHYIfOF_6HKTBg1OSdofU>
Subject: Re: [kitten] Review of draft-ietf-kitten-krb-service-discovery-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2017 04:53:08 -0000

On Mon, Apr 03, 2017 at 12:32:55PM -0400, Greg Hudson wrote:
> On 03/30/2017 02:51 PM, Matt Rogers wrote:
> >> * RFC 7553 is informational and this document is standards track, which
> >>   is a down reference (see RFC 3967).  Also, RFC 7553 contains ambiguous
> >>   guidance about URI records labels which some readers have interpreted
> >>   as being incompatible with our use of labels.  I think at one point we
> >>   received advice to reference the IANA registration of the URI record
> >>   type instead of RFC; unfortunately I do not know the mechanics of that
> >>   kind of reference.
> 
> > The IANA registration entry refers to RFC 7553:
> > https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
> > Perhaps it should just be an informative reference instead.
> 
> There is also a "completed template" in the IANA assignment:
> 
> https://www.iana.org/assignments/dns-parameters/URI/uri-completed-template
> 
> I hadn't read this before.  It says (in section E):
> 
>   The URI RR has service information encoded in its ownername.  In
>   order to encode the service for a specific owner name one uses
>   service parameters.  Valid service parameters used are either
>   Enumservice Registrations registered by IANA, or prefixes used
>   for the SRV resource record.

It's not entirely clear just how binding this is on consumers,
though I do think IANA consults this sort of thing sometimes.

> which seems like a slightly more restrictive statement than the one in
> RFC 7553.  We may need some guidance from the chairs or ADs on the

Given how similar it is to the text in the RFC, I think we are
forced to conclude that the RFC takes precedence, possibly due to
last-minute changes.  (That is, that someone got sloppy at some
point.  But the RFC text is what has IETF consensus, and is thus
preferred.)  The relevant text was added in draft-faltstrom-uri-11,
FWIW.

We can call this issue out in the shepherd writeup for IESG
attention, too.  Making a final call is "above our pay grade" :)

> mechanics of moving forward here.  Simply making the reference
> informative doesn't seem sufficient, as the URI RR type is fundamental
> to this standard.
> 
> (To be clear, I think what we're doing ought to be fine, and that it's
> generally pointless to include a transport label in a URI record owner
> name like one would in a SRV owner name.  The question is one of
> conformance with the pre-existing standard, not practicality.)

It is correct to leave the reference as normative; the downref can
be called out during IETF last call (though, IIRC, some recent-ish
changes in policy do not mandate it quite as strongly as it used to
be).

> >> * Similarly, MS-KKDCP is in the normative references section, and is not
> >>   a standards-track IETF document.  It is only used as the reference in
> >>   the initial contents of the transport registry, so perhaps it can just
> >>   be an informative reference.
> >>
> > I'll make this an informative reference.
> 
> The MS-KKDCP reference is obvious controlling when using the kkdcp
> transport.  Since this is just an initial transport registration, it may
> be okay to use an informative reference.

I believe an informative reference is fine for this document, as
that spec is not needed in order to use the discovery protocol
itself.  (It's needed to use the results of discovery, but that's
out of scope.)

> >> * The wording here seems too general.  I think we want to specifically
> >>   say that URI records should be preferred over SRV records.
> 
> > How about: "Clients that support service discovery through both URI
> > and SRV records SHOULD perform the URI discovery first. If no URI
> > record is found, the client MAY then attempt SRV discovery."
> 
> Sure.
> 
> There is an argument for a MUST here.  DNS administrators will commonly
> want to set up both URI and SRV records for a realm, and the behavior of
> trying URI first may be important (e.g. if the URI record includes a
> kkdcp entry).

Note that the MUST only applies for implementations that claim to
comply with <RFC-to-be>, so it is not as strong a requirement as it
might seem at first.

> >> * The reference here is "TBD".  Is there a plan?  Is the reference
> >>   supposed to be to this RFC once a number is assigned?
> >>
> > 
> > It should be changed to the assigned number, yes. It was suggested
> > that instead of TBD we use [This Document], which I think is the
> > convention for this kind of reference.
> 
> That seems okay.  There might also need to be an RFC editor guidance
> section pointing out the need for a substitution there.  For instance,
> in https://tools.ietf.org/html/draft-ietf-krb-wg-crypto-07 see the
> "Notes to RFC Editor" section at the end.

Yes, "[this document]" is an accepted form.  I don't expect a
specific RFC Editor note is needed for this sort of usage.

-Ben

v2.23.0 | Report a Bug | By Email