IETF Logo Mail Archive

Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Nico Williams <nico@cryptonector.com> Mon, 14 September 2015 15:28 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F8981B2D13 for <kitten@ietfa.amsl.com>; Mon, 14 Sep 2015 08:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LPzaJSG5oH_H for <kitten@ietfa.amsl.com>; Mon, 14 Sep 2015 08:28:50 -0700 (PDT)
Received: from homiemail-a54.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 5D8871B2DBE for <kitten@ietf.org>; Mon, 14 Sep 2015 08:28:49 -0700 (PDT)
Received: from homiemail-a54.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTP id BB53A4012E6E7; Mon, 14 Sep 2015 08:28:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=FqOqGqxI5FRH9e UxvrtUbCaCXKc=; b=O+Jng7Y6p5qH/AT6BxWnm/XJhz6rmSSNNaRfopAPzuLg5y 6Mql3FX+CaH7zELNHzqo6xW9IW/agHpJt1BUgjPjAOD5uqrgNxyeZoLeQnyf9ky7 ggohpuTRCEpcG7OcED1+pR9Q4RIJtRvn4TiuXgXHq+fLYbm3MIRMs3/rJNly0=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTPA id 1F3F44012E6DE; Mon, 14 Sep 2015 08:28:34 -0700 (PDT)
Date: Mon, 14 Sep 2015 10:28:33 -0500
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>
Message-ID: <20150914152832.GB13294@localhost>
References: <55F686EA.30206@openfortress.nl> <20150914151115.GA13294@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150914151115.GA13294@localhost>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/KpUGKog5lvacf2uBJS1yBwHDle8>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2015 15:28:51 -0000

On Mon, Sep 14, 2015 at 10:11:16AM -0500, Nico Williams wrote:
> On Mon, Sep 14, 2015 at 10:35:54AM +0200, Rick van Rein wrote:
> > (when not found, searches move upward in the DNS tree but not beyond
> > the zone apex; the I-D specifies an efficient, DNS-folk-agreeable way
> > of doing this)
> 
> I'll have to look.

I don't think that the zone apex is necessarily a good place to stop.
DNS delegation does not imply as much as you make it out to.  I'm not
sure what the best thing to do here is.  I'll think about it.  But I'm
quite certain that DNS zone cuts are not the right thing to use.

Also, your method is:

|  5.  When the type bit map in the secure denial indicates the presence
|      of a SOA record under the current name, then no further
|      iterations are possible, and the algorithm ends in failure.

which fails if there are KREALM RRs for some things but not realm.

I think the "key" part of the KREALM RR RDATA may be best as an
_-prefixed label in the qname (not least as it reduces response size, at
the expense of increasing the number of queries when the client needs
more than one key's RDATA, but this is fine I think).

Then there'd not be much difference between a KREALM RR and a TXT RR...

Nico
--

v2.23.0 | Report a Bug | By Email