Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
Nathaniel McCallum <npmccallum@redhat.com> Tue, 17 May 2016 20:43 UTC
Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77A9712DDDA for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 13:43:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.326
X-Spam-Level:
X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-YTWCYlgxmA for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 13:43:23 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB49C12DDDD for <kitten@ietf.org>; Tue, 17 May 2016 13:43:22 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 44F717F6B0; Tue, 17 May 2016 20:43:22 +0000 (UTC)
Received: from vpn-55-135.rdu2.redhat.com (vpn-55-135.rdu2.redhat.com [10.10.55.135]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4HKhL3i026952 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 17 May 2016 16:43:21 -0400
Message-ID: <1463517801.2432.24.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Jeffrey Altman <jaltman@secure-endpoints.com>, kitten@ietf.org
Date: Tue, 17 May 2016 16:43:21 -0400
In-Reply-To: <54c900f2-399c-0ff0-c292-91baba495a21@secure-endpoints.com>
References: <1463500163.2432.9.camel@redhat.com> <54c900f2-399c-0ff0-c292-91baba495a21@secure-endpoints.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 17 May 2016 20:43:22 +0000 (UTC)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Wdq9WdeAUKR65wMi9QcJ846Qhho>
Subject: Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 20:43:24 -0000
On Tue, 2016-05-17 at 12:25 -0400, Jeffrey Altman wrote: > On 5/17/2016 11:49 AM, Nathaniel McCallum wrote: > > https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-disco > > very > > -02 > > > > I'd like to propose adoption of this draft: > > > > 1. It is in the scope of the WG. This is an extension to the > > discovery > > methods already defined in RFC 4120. > > > > 2. It is beneficial. It provides both speed improvments and > > additional > > functionality (discovery of MS-KKDCP proxies). > > > > 3. It is small. It avoids defining new: DNS names, DNS semantics, > > URIs, > > or transport semantics. It simply combines the existing tools in a > > fairly obvious way. > > > > Thoughts? > > > > Having read the draft I am totally unclear how it is implemented. > > _kerberos.REALM > > is not a valid DNS URI record name. To translate the URI > > https://host[:port][path] > > to an URI record requires > > _kerberos._https.host > > not > > _kerberos.host It doesn't actually require this. It just gives examples. > DNS URI records according to RFC 7553 work just like DNS SRV records > in > that they require both a service name and a protocol name. Switching > to > URI records does not solve the problem of multiple DNS queries. > > To find a KDC that supports https, use the DNS SRV record > > _kerberos._https.REALM _https isn't a thing. You'd have to do something like: _http._tls._tcp. > registering additional service types such as "kpasswd" can be done > but > the fact is implementations such as Heimdal already perform SRV > lookups for > > _kpasswd,_tcp.REALM and _kpasswd._udp.REALM At the cost of one DNS query per transport. Further, administrators have no control over the weights or priorties between transports. My draft provides this. > Can you make a case for something that DNS URI records provides that > DNS > SRV records do not? Yes. MS-KKDCP requires a path. SRV records cannot provide a path. > The introduction of DNS URI records will only mean that in practice > that > Kerberos client libraries will need to issue the DNS URI queries in > addition to the existing DNS SRV records. We will need to add at least one more DNS query to support MS-KKDCP (two if we have to treat http and https as separate queries). This is unavoidable. While it is true that this will result in a 50% increase in DNS queries, using my URI scheme means that a simple administrator configuration can turn this 50% increase into a 50% decrease in queries over the existing implementations. This is a win.
- [kitten] Adoption of draft-mccallum-kitten-krb-se… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Jeffrey Altman
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Rick van Rein
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Jeffrey Altman
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Jeffrey Altman
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Benjamin Kaduk
- Re: [kitten] Adoption ofdraft-mccallum-kitten-krb… tom p.
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption ofdraft-mccallum-kitten-krb… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek