IETF Logo Mail Archive

Re: [kitten] Kerberos Service Discovery using DNS

Jeffrey Altman <jaltman@secure-endpoints.com> Wed, 11 March 2015 18:31 UTC

Return-Path: <prvs=1512ab8e34=jaltman@secure-endpoints.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E661A7014 for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 11:31:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCUT0jVyIILP for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 11:31:04 -0700 (PDT)
Received: from sequoia-grove.secure-endpoints.com (sequoia-grove.ad.secure-endpoints.com [208.125.0.235]) (using TLSv1.2 with cipher AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 449E81A7013 for <kitten@ietf.org>; Wed, 11 Mar 2015 11:31:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=secure-endpoints.com; s=MDaemon; t=1426098641; x=1426703441; q=dns/txt; h=VBR-Info:Message-ID:Date:From:Organization: User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To: OpenPGP:Content-Type; bh=IqrSkwWnlP02eJp5ZG83M+QZXxBZUyXYRDfJwIx 2FPw=; b=VkKp3aodsmphOcz1rEZ7D9Nq0Te9wNuQOsnAobZwY3Yb399HwyLHKPj O+rkULjOh5xIH93rNeomV/N8HUw7JLaofYRC3gQfnpccYpYdJP5tdPvJyiNGgF+X 57SetuW6iAdlmXPeWwK62nALTzrUcI9dLDl2RHPpVmHDR9mYfmv8=
X-MDAV-Result: clean
X-MDAV-Processed: sequoia-grove.secure-endpoints.com, Wed, 11 Mar 2015 14:30:41 -0400
X-Spam-Processed: sequoia-grove.secure-endpoints.com, Wed, 11 Mar 2015 14:30:41 -0400
Received: from [x.x.x.x] by secure-endpoints.com (Cipher TLSv1.2:AES-SHA:128) (MDaemon PRO v15.0.0) with ESMTPSA id md50000837736.msg for <kitten@ietf.org>; Wed, 11 Mar 2015 14:30:40 -0400
VBR-Info: md=secure-endpoints.com; mc=all; mv=vbr.emailcertification.org;
X-MDArrival-Date: Wed, 11 Mar 2015 14:30:40 -0400
X-Authenticated-Sender: jaltman@secure-endpoints.com
X-Return-Path: prvs=1512ab8e34=jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kitten@ietf.org
Message-ID: <550089C9.3080302@secure-endpoints.com>
Date: Wed, 11 Mar 2015 14:30:33 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Organization: Secure Endpoints Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@MIT.EDU>, Nathaniel McCallum <npmccallum@redhat.com>
References: <1425578271.2715.5.camel@redhat.com> <alpine.GSO.1.10.1503111201350.3953@multics.mit.edu> <1426091451.3471.35.camel@redhat.com> <alpine.GSO.1.10.1503111236240.3953@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1503111236240.3953@multics.mit.edu>
OpenPGP: id=92B69A04; url=http://pgp.mit.edu
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080704020506080104000506"
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Gedod9EHrf7KGEyflXtWxDbPQ54>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 18:31:07 -0000

On 3/11/2015 12:44 PM, Benjamin Kaduk wrote:
> On Wed, 11 Mar 2015, Nathaniel McCallum wrote:
> 
>> On Wed, 2015-03-11 at 12:05 -0400, Benjamin Kaduk wrote:
>>> On Thu, 5 Mar 2015, Nathaniel McCallum wrote:
>>>
>>>> I have uploaded a new draft:
>>>>
>>> http://datatracker.ietf.org/doc/draft-mccallum-kitten-krb-service-discovery/
>>>>
>>>> If you'd like to discuss it, reply to this message. :)
>>>
>>> I'm generally in favor of something like this.
>>>
>>> A few things that came to mind while reading it that have not
>>> already been
>>> raised:
>>>
>>> You cover kerberos and kpasswd, but not kadmin.  Any reason why?
>>> (MIT's code does not currently support using DNS to locate an admin
>>> server, but that's not a reason to reject adding it to a discovery
>>> protocol in its own
>>> right.)
>>
>> My understanding is that kadmin is a proprietary protocol and has not
>> been standardized. If that is incorrect, I can certainly add it. Does
>> it already have a standardized discovery protocol?
> 
> There are at least two different proprietary kadmin protocols.

And this is why SRV records for kadmin is not standardized.

> SRV records for _kerberos-adm._tcp.[realm] are documented by both
> MIT and Heimdal, and exist at many sites.  It looks like Heimdal doesn't
> actually implement client support for them, either, though, judging by git
> grep. 

Using the same SRV record for both MIT and Heimdal is in my opinion a
bad mistake since each kadmin service implementation is incompatible
with the other.

_mit-kerberos-adm._tcp.[realm]
_heimdal-kerberos-adm._tcp.[realm]

would have been much better.

> (The corresponding draft-ietf-cat-krb-dns-locate seems to have
> withered and died.)

No.  The part of this I-D that were acceptable to the working group were
incorporated in RFC 4120.

Jeffrey Altman

v2.23.0 | Report a Bug | By Email