IETF Logo Mail Archive

Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Nico Williams <nico@cryptonector.com> Tue, 15 September 2015 17:13 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65ADB1A6FF9 for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 10:13:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZDcQGxbzVXrS for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 10:13:08 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id B95501A6FF1 for <kitten@ietf.org>; Tue, 15 Sep 2015 10:13:08 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTP id 029435080E0; Tue, 15 Sep 2015 10:13:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=cryptonector.com; bh=hroQnJ6zqYdsxLpYYdZH2Baav2k =; b=KfitbesJLjtcnyZVq/t4Sni3JZ0YZupRKPPOF1SxC96PMU7yvlky/JTBdro blgiUnmM5cgw4vjGXCrWI8R1h1d1rIgbkDHBxckZjEDdMiObdCC4hrzRmlFjKV7n 8zgvAvFVLmG0ZcbFnDfNPKt7K8MaoTMu1BYEmXYSuOPnrvtc=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTPA id AE3325080DB; Tue, 15 Sep 2015 10:13:06 -0700 (PDT)
Date: Tue, 15 Sep 2015 12:13:01 -0500
From: Nico Williams <nico@cryptonector.com>
To: kitten@ietf.org
Message-ID: <20150915171259.GH13294@localhost>
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <55F7C3FA.5090802@openfortress.nl> <20150915073030.GD21942@mournblade.imrryr.org> <55F7CB98.6060300@openfortress.nl> <20150915144724.GJ21942@mournblade.imrryr.org> <55F8350B.5030805@openfortress.nl> <20150915162022.GM21942@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150915162022.GM21942@mournblade.imrryr.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/R_uIYNcYtV5fjKV5rkSG8G7xcME>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 17:13:10 -0000

On Tue, Sep 15, 2015 at 04:20:22PM +0000, Viktor Dukhovni wrote:
> On Tue, Sep 15, 2015 at 05:11:07PM +0200, Rick van Rein wrote:
> 
> I'm not assuming anything.  I proposing that:
> 
> 	_kerberos.host.example.com. IN PTR EXAMPLE.COM.
> 
> mean that the realm of "host.example.com" is "EXAMPLE.COM".  If
> this mapping sometimes loses case, it may well be time to consider
> defining the realm portion of Kerberos principals to be case-insensitive
> for A-labels, and for non-ASCII names (as with IDNA 2008) *required*
> to be effectively lower-case for U-labels.

Windows and AD are already case-insensitive/preserving for realm names
now.  I think it'd be a good idea to do the same in other
implementations.  For KDB lookups they may need to internally
canonicalize realm name case.  For name-based authorization services may
need to canonicalize realm name case as well.  But this isn't hard
because KDCs and services usually have sources of canonical realm case
already (in krb5.conf, in the KDB, in keytabs).

> The realm is going to be used for SRV lookups, and needs to be
> valid DNS name.  Also the realm should be case-insensitive anyway,
> time to bite that bullet.

It's going to be some work (see above), but I agree.

> > I would like to hear if i18n experts agree to such mappings.  And
> > especially in the context of Kerberos, where we are dealing with older
> > applications that were a bit too liberal with what they put into their
> > realm name fields.
> 
> They don't all have to use DNS for realm mappings, they've gotten
> by without so far.

Indeed, between referrals and just... not having out-of-zone realms for
hosts we've not needed this.

> Of course you could simply standardize the current informal
> 
>     _kerberos.host.example.com. IN TXT "EXAMPLE.COM"

Informative will do.

Nico
--

v2.23.0 | Report a Bug | By Email