IETF Logo Mail Archive

Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Rick van Rein <rick@openfortress.nl> Tue, 15 September 2015 15:11 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B06931B4FE4 for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 08:11:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uInVDq1bBMqR for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 08:11:25 -0700 (PDT)
Received: from lb1-smtp-cloud3.xs4all.net (lb1-smtp-cloud3.xs4all.net [194.109.24.22]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D50611B5002 for <kitten@ietf.org>; Tue, 15 Sep 2015 08:11:11 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud3.xs4all.net with ESMTP id HTB81r00j10HQrX01TB9aW; Tue, 15 Sep 2015 17:11:10 +0200
Message-ID: <55F8350B.5030805@openfortress.nl>
Date: Tue, 15 Sep 2015 17:11:07 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: kitten@ietf.org
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <55F7C3FA.5090802@openfortress.nl> <20150915073030.GD21942@mournblade.imrryr.org> <55F7CB98.6060300@openfortress.nl> <20150915144724.GJ21942@mournblade.imrryr.org>
In-Reply-To: <20150915144724.GJ21942@mournblade.imrryr.org>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Oyw3xIQGU3Em5ZHbE-SmdlrP3j4>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 15:11:30 -0000

Hi Vik,

>> The value of PTR is a <domain-name> rather than a binary <character-string>,
>> which makes it case-insensitive and I wouldn't be surprised if some name
>> server mangled the case of PTR records to all-lowercase.
>
> No, it is not "case-insensitive".  The value of PTR records is
> returned verbatim by nameservers.  What's case insensitive is
> lookups derived from that name when you use it in a query string.

RFC 4343 states that DNS compression of domain names can lead to
conversion of case for RRtypes defined in RFC 1035.

There is another reason to prefer a binary format, and that is to leave
the door ajar for future i18n attempts of Kerberos realm names.  That is
hard enough as it is now, without having to deal with DNS i18n as well.
>
>> Finally, the PTR record already has its meaning, and that is not the one
>> we have in mind.
>
> It it *exactly* the meaning you have in mind.  A DNS name that is
> not an alias.  A pointer to another place in the DNS.

Assuming a Kerberos realm from a DNS name is not automatically safe
because it may not be intended as such by the DNS zone operator /
signer.  Because not all DNS names are intended to be, or have Kerberos
realms.  That is the problem with overloaded / mind-read types that also
have anohter life.
> Many firewalls mistakenly filter "exotic" DNS queries.  The KREALM
> RRtype will encounter unnecessary friction.

I know that, the same can happen to DNSSEC queries.  It is why I expect
this to be easier to implement on a KDC located in a customised
networking context than on a Kerberos client in an undefined
environment.  Still, that is quite acceptable, as long as
canonicalisation will allow the KDC to respond with Cross-Realm Routing
hints as in Section 9 of RFC 6806.
> With the PTR record, UTF-8 labels in Kerberos realms can be converted
> to A-labels in zone files and on the wire, with the client mapping
> them back to U-labels to reconstruct the realm name, and using the
> A-labels directly to locate SRV records, ...

I would like to hear if i18n experts agree to such mappings.  And
especially in the context of Kerberos, where we are dealing with older
applications that were a bit too liberal with what they put into their
realm name fields.
> Kerberos realms in DNS should be DNS names,

I've found that people in the Kerberos community treat old habits as
things that die hard.  What you are saying probably applies to 99% of
the users, but I see no point to forbid other forms of realm name in
DNS.  If others agree with Vik, then a +1 note may help, because without
more of those I simply fear making a dramatic choice that will make
people dislike this proposal.


Thanks,
 -Rick

v2.23.0 | Report a Bug | By Email