Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
Rick van Rein <rick@openfortress.nl> Tue, 15 September 2015 15:11 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B06931B4FE4 for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 08:11:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uInVDq1bBMqR for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 08:11:25 -0700 (PDT)
Received: from lb1-smtp-cloud3.xs4all.net (lb1-smtp-cloud3.xs4all.net [194.109.24.22]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D50611B5002 for <kitten@ietf.org>; Tue, 15 Sep 2015 08:11:11 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud3.xs4all.net with ESMTP id HTB81r00j10HQrX01TB9aW; Tue, 15 Sep 2015 17:11:10 +0200
Message-ID: <55F8350B.5030805@openfortress.nl>
Date: Tue, 15 Sep 2015 17:11:07 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: kitten@ietf.org
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <55F7C3FA.5090802@openfortress.nl> <20150915073030.GD21942@mournblade.imrryr.org> <55F7CB98.6060300@openfortress.nl> <20150915144724.GJ21942@mournblade.imrryr.org>
In-Reply-To: <20150915144724.GJ21942@mournblade.imrryr.org>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Oyw3xIQGU3Em5ZHbE-SmdlrP3j4>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 15:11:30 -0000
Hi Vik, >> The value of PTR is a <domain-name> rather than a binary <character-string>, >> which makes it case-insensitive and I wouldn't be surprised if some name >> server mangled the case of PTR records to all-lowercase. > > No, it is not "case-insensitive". The value of PTR records is > returned verbatim by nameservers. What's case insensitive is > lookups derived from that name when you use it in a query string. RFC 4343 states that DNS compression of domain names can lead to conversion of case for RRtypes defined in RFC 1035. There is another reason to prefer a binary format, and that is to leave the door ajar for future i18n attempts of Kerberos realm names. That is hard enough as it is now, without having to deal with DNS i18n as well. > >> Finally, the PTR record already has its meaning, and that is not the one >> we have in mind. > > It it *exactly* the meaning you have in mind. A DNS name that is > not an alias. A pointer to another place in the DNS. Assuming a Kerberos realm from a DNS name is not automatically safe because it may not be intended as such by the DNS zone operator / signer. Because not all DNS names are intended to be, or have Kerberos realms. That is the problem with overloaded / mind-read types that also have anohter life. > Many firewalls mistakenly filter "exotic" DNS queries. The KREALM > RRtype will encounter unnecessary friction. I know that, the same can happen to DNSSEC queries. It is why I expect this to be easier to implement on a KDC located in a customised networking context than on a Kerberos client in an undefined environment. Still, that is quite acceptable, as long as canonicalisation will allow the KDC to respond with Cross-Realm Routing hints as in Section 9 of RFC 6806. > With the PTR record, UTF-8 labels in Kerberos realms can be converted > to A-labels in zone files and on the wire, with the client mapping > them back to U-labels to reconstruct the realm name, and using the > A-labels directly to locate SRV records, ... I would like to hear if i18n experts agree to such mappings. And especially in the context of Kerberos, where we are dealing with older applications that were a bit too liberal with what they put into their realm name fields. > Kerberos realms in DNS should be DNS names, I've found that people in the Kerberos community treat old habits as things that die hard. What you are saying probably applies to 99% of the users, but I see no point to forbid other forms of realm name in DNS. If others agree with Vik, then a +1 note may help, because without more of those I simply fear making a dramatic choice that will make people dislike this proposal. Thanks, -Rick
- [kitten] Finding Kerberos Realm Descriptors in se… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Martin Rex
- Re: [kitten] Finding Kerberos Realm Descriptors i… Watson Ladd
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams