Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
Nico Williams <nico@cryptonector.com> Tue, 15 September 2015 17:13 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65ADB1A6FF9 for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 10:13:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZDcQGxbzVXrS for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 10:13:08 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id B95501A6FF1 for <kitten@ietf.org>; Tue, 15 Sep 2015 10:13:08 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTP id 029435080E0; Tue, 15 Sep 2015 10:13:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=cryptonector.com; bh=hroQnJ6zqYdsxLpYYdZH2Baav2k =; b=KfitbesJLjtcnyZVq/t4Sni3JZ0YZupRKPPOF1SxC96PMU7yvlky/JTBdro blgiUnmM5cgw4vjGXCrWI8R1h1d1rIgbkDHBxckZjEDdMiObdCC4hrzRmlFjKV7n 8zgvAvFVLmG0ZcbFnDfNPKt7K8MaoTMu1BYEmXYSuOPnrvtc=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTPA id AE3325080DB; Tue, 15 Sep 2015 10:13:06 -0700 (PDT)
Date: Tue, 15 Sep 2015 12:13:01 -0500
From: Nico Williams <nico@cryptonector.com>
To: kitten@ietf.org
Message-ID: <20150915171259.GH13294@localhost>
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <55F7C3FA.5090802@openfortress.nl> <20150915073030.GD21942@mournblade.imrryr.org> <55F7CB98.6060300@openfortress.nl> <20150915144724.GJ21942@mournblade.imrryr.org> <55F8350B.5030805@openfortress.nl> <20150915162022.GM21942@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150915162022.GM21942@mournblade.imrryr.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/R_uIYNcYtV5fjKV5rkSG8G7xcME>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 17:13:10 -0000
On Tue, Sep 15, 2015 at 04:20:22PM +0000, Viktor Dukhovni wrote: > On Tue, Sep 15, 2015 at 05:11:07PM +0200, Rick van Rein wrote: > > I'm not assuming anything. I proposing that: > > _kerberos.host.example.com. IN PTR EXAMPLE.COM. > > mean that the realm of "host.example.com" is "EXAMPLE.COM". If > this mapping sometimes loses case, it may well be time to consider > defining the realm portion of Kerberos principals to be case-insensitive > for A-labels, and for non-ASCII names (as with IDNA 2008) *required* > to be effectively lower-case for U-labels. Windows and AD are already case-insensitive/preserving for realm names now. I think it'd be a good idea to do the same in other implementations. For KDB lookups they may need to internally canonicalize realm name case. For name-based authorization services may need to canonicalize realm name case as well. But this isn't hard because KDCs and services usually have sources of canonical realm case already (in krb5.conf, in the KDB, in keytabs). > The realm is going to be used for SRV lookups, and needs to be > valid DNS name. Also the realm should be case-insensitive anyway, > time to bite that bullet. It's going to be some work (see above), but I agree. > > I would like to hear if i18n experts agree to such mappings. And > > especially in the context of Kerberos, where we are dealing with older > > applications that were a bit too liberal with what they put into their > > realm name fields. > > They don't all have to use DNS for realm mappings, they've gotten > by without so far. Indeed, between referrals and just... not having out-of-zone realms for hosts we've not needed this. > Of course you could simply standardize the current informal > > _kerberos.host.example.com. IN TXT "EXAMPLE.COM" Informative will do. Nico --
- [kitten] Finding Kerberos Realm Descriptors in se… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Martin Rex
- Re: [kitten] Finding Kerberos Realm Descriptors i… Watson Ladd
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams