Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

[Rick van Rein <rick@openfortress.nl>]

Hey,

>> www.example.org.  IN KREALM  "EXAMPLE.ORG"
>>                   IN KREALM "EXAMPLE.COM"
> I think we might want to add a priority number in the RDATA, especially
> for implementations that currently don't handle more than one realm
> per-host.  Otherwise those implementations either will show
> non-deterministic behavior or their implementors will have that much
> more work to do to implement this.

A full-blown priority scheme (and the need to sort on it) is perhaps a bit much for just that; a flag that signals "this record is (among) the most likely to work for you" seems to be all you need, and is much simpler to implement, especially for such contrived clients.

But... would it be fair to assume that KREALM-supporting hosts must implement some new functionality anyway to support this stuff in DNS, and should be willing to iterate over realms until they get a ticket for one they can stick with?

See... we're requiring DNSSEC to validate the KREALM record, and it is going to be difficult in general to rely on clients to accomadate that; they may be subjected to crummy NAT routers that interfere with, and break DNSSEC.  So, we will probably be dependent on KDCs for practical deployment of KREALM, and a KDC could use KREALM records to inspire a Server Referral in the style of RFC 6806.

So... it may be reasonable to assume that any KREALM client could work with multiple realms, because they will normally be KDCs.  And that'd mean we wouldn't need this priority or go-for-this-one flag.  Agreed?

-Rick