IETF Logo Mail Archive

Re: [kitten] Kerberos Service Discovery using DNS

Petr Spacek <pspacek@redhat.com> Thu, 02 April 2015 17:21 UTC

Return-Path: <pspacek@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A44B1AD364 for <kitten@ietfa.amsl.com>; Thu, 2 Apr 2015 10:21:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADKnnHkL3-Cc for <kitten@ietfa.amsl.com>; Thu, 2 Apr 2015 10:21:35 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6BAF1AD2C0 for <kitten@ietf.org>; Thu, 2 Apr 2015 10:21:35 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t32HLYfh018202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 2 Apr 2015 13:21:34 -0400
Received: from pspacek.brq.redhat.com ([10.34.250.188]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t32HLWxM013035 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Thu, 2 Apr 2015 13:21:33 -0400
Message-ID: <551D7A9C.4030309@redhat.com>
Date: Thu, 02 Apr 2015 19:21:32 +0200
From: Petr Spacek <pspacek@redhat.com>
Organization: Red Hat
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>, Nathaniel McCallum <npmccallum@redhat.com>
References: <1425578271.2715.5.camel@redhat.com> <551121EE.1070300@redhat.com> <1427200587.29553.0.camel@redhat.com> <55117291.2040002@mit.edu>
In-Reply-To: <55117291.2040002@mit.edu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/PHcKKOP95TRTAZai6hmoDnp3eQA>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 17:21:37 -0000

On 24.3.2015 15:20, Greg Hudson wrote:
> On 03/24/2015 08:36 AM, Nathaniel McCallum wrote:
>> On Tue, 2015-03-24 at 09:35 +0100, Petr Spacek wrote:
>>> It seems like a good idea to standardize _kerberos-master URI record 
>>> too (with
>>> semantics equal to the one described on
>>> http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/realm_config.html).
> 
>> I *think* this might be MIT specific. Maybe Greg can answer that?
> 
> It does look like only MIT krb5 implements it.
> 
> The semantics of _kerberos-master are "these addresses represent KDCs
> (usually just one) which are more up to date than the other KDCs in the
> realm, so retry with one of these if your first try fails for most
> reasons."  In some realms the master KDC isn't one of the regular KDCs,
> in order to shed the majority of the load from the KDC which is also
> running kadmind.
> 
> These semantics are not generally needed for a realm with fast
> replication (iprop with low polling delay, LDAP, etc.), but there are
> enough realms with slow replication that we're not about to discard
> those semantics.
> 
> It might be good if master KDC entries could be obtained in the same DNS
> lookup as regular KDC entries, but none of the ways I can think of to do
> it are particularly elegant.  We would need to be able to annotate each
> URI with "this is also a master KDC" or "this is only a master KDC".
> Shoving that tri-state into each URI scheme wouldn't be very elegant;
> designating magic priority values for the URI record would be a layering
> violation.  It's not really a big deal if a second DNS lookup is needed
> for the fallback.
> 
> I have no strong opinion on whether the discovery standard needs to talk
> about this.  MIT krb5 can always continue to implement it as a
> non-standardized feature, using the same lookup behavior as the
> _kerberos URI record but with the label changed to _kerberos-master.

IMHO:
I would not optimize for fallback when it means obfuscating the original idea.
I.e. a separate DNS name like _kerberos_master with URIs of masters sounds
fine to me.

Also, I do not see a reason not to standardize it because it is deadly
simple/cheap and allows Heimdal and others to be interoperable if they decide
to support this feature in future.

-- 
Petr^2 Spacek

v2.23.0 | Report a Bug | By Email