IETF Logo Mail Archive

Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Rick van Rein <rick@openfortress.nl> Tue, 15 September 2015 07:41 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E79201B2D93 for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 00:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UFoEVkgaZ6du for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 00:41:16 -0700 (PDT)
Received: from lb2-smtp-cloud2.xs4all.net (lb2-smtp-cloud2.xs4all.net [194.109.24.25]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A3AB1A21AE for <kitten@ietf.org>; Tue, 15 Sep 2015 00:41:16 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id HKhD1r00H10HQrX01KhEmK; Tue, 15 Sep 2015 09:41:14 +0200
Message-ID: <55F7CB98.6060300@openfortress.nl>
Date: Tue, 15 Sep 2015 09:41:12 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: kitten@ietf.org
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <55F7C3FA.5090802@openfortress.nl> <20150915073030.GD21942@mournblade.imrryr.org>
In-Reply-To: <20150915073030.GD21942@mournblade.imrryr.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/F4066uxxhAW0CP6Uk701tHQKTKY>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 07:41:18 -0000

Hi Viktor,

> Text strings used to be handy for realm names in DNS when associated
> SRV records were plausibly optional.  These days, the REALM *should*
> be a DNS name.

If that's not MUST then I don't think it's a safe assumption to make.

> Therefore, a simpler design would be:
>
>     ; Realm mapping per-host reduces lookup latency
>     ;
>     _kerberos.host.name.example.com. IN PTR EXAMPLE.COM.

The value of PTR is a <domain-name> rather than a binary <character-string>, which makes it case-insensitive and I wouldn't be surprised if some name server mangled the case of PTR records to all-lowercase.

Also, the trailing dot is not the only form that may be used; there can be relative names.

And, you are using PTR in forward DNS, which may upset people.

Finally, the PTR record already has its meaning, and that is not the one we have in mind.  The new RRtype can be hard and clear about its meaning for Kerberos, and avoid security questions relating to the use of certain records.

I've initially proposed overloading TXT and that gave strong responses to instead register a new RRtype, and nobody on DNSEXT is questioning that change.  I therefore propose to not follow your idea.  It made me smile though, because it is an interesting find.


Thanks!
 -Rick

v2.23.0 | Report a Bug | By Email