Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Greg Hudson <ghudson@mit.edu> Tue, 15 September 2015 18:36 UTC

To: Rick van Rein <rick@openfortress.nl>, "kitten@ietf.org" <kitten@ietf.org>
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <20150914170757.GC13284@localhost> <55F72B14.8030409@openfortress.nl> <55F7C40F.9000509@openfortress.nl>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <55F86534.50109@mit.edu>
Date: Tue, 15 Sep 2015 14:36:36 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <55F7C40F.9000509@openfortress.nl>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/GPqwVHWdUcphxWGWSq63FBtU8kI>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
Precedence: list

On 09/15/2015 03:09 AM, Rick van Rein wrote:
> See... we're requiring DNSSEC to validate the KREALM record, and it is going to be difficult in general to rely on clients to accomadate that; they may be subjected to crummy NAT routers that interfere with, and break DNSSEC.  So, we will probably be dependent on KDCs for practical deployment of KREALM, and a KDC could use KREALM records to inspire a Server Referral in the style of RFC 6806.
> 
> So... it may be reasonable to assume that any KREALM client could work with multiple realms, because they will normally be KDCs.  And that'd mean we wouldn't need this priority or go-for-this-one flag.  Agreed?

A KDC can only return one referral, so I'm not sure what it would do
with multiple realms, with or without priorities.  Perhaps I'm missing
something.

[kitten] Finding Kerberos Realm Descriptors in se… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Martin Rex
Re: [kitten] Finding Kerberos Realm Descriptors i… Watson Ladd
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams