IETF Logo Mail Archive

Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Nico Williams <nico@cryptonector.com> Tue, 15 September 2015 15:47 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5E2C1A1AA8 for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 08:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fOI8KvP4ANG for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 08:47:32 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 90A6B1A1AB1 for <kitten@ietf.org>; Tue, 15 Sep 2015 08:47:32 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id 6DE112005E80E; Tue, 15 Sep 2015 08:47:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=d/zTlpnh09O4Kd 9cVBmzgWw4qEE=; b=v4HTrsRuUrr6JCXdpX9s2yWn/x2yH2ZYLu1Wmez+sRr/ZA Pr/aWXV9XMH5Y79TUD6FMtEAfafMZ0yqQS6OgfQ0bXhXXRWNVZfg8bGC3WINmvRy vY2nxcLL1txu6J/vGg59dEF4iX9fxgTbhWLDzVGR+vd74lgVI1PZk2VIAo1/U=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPA id B29872005E80C; Tue, 15 Sep 2015 08:47:31 -0700 (PDT)
Date: Tue, 15 Sep 2015 10:47:30 -0500
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>
Message-ID: <20150915154729.GF13294@localhost>
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <55F7C3FA.5090802@openfortress.nl> <20150915073030.GD21942@mournblade.imrryr.org> <55F7CB98.6060300@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55F7CB98.6060300@openfortress.nl>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Ychi-ut2-TOOeIgBxAEY2bhY3Pc>
Cc: kitten@ietf.org
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 15:47:33 -0000

On Tue, Sep 15, 2015 at 09:41:12AM +0200, Rick van Rein wrote:
> > Text strings used to be handy for realm names in DNS when associated
> > SRV records were plausibly optional.  These days, the REALM *should*
> > be a DNS name.
> 
> If that's not MUST then I don't think it's a safe assumption to make.

If you want to use DNS then you must be using DOMAIN-style realm names.
That's a fair requirement to make.

> > Therefore, a simpler design would be:
> >
> >     ; Realm mapping per-host reduces lookup latency
> >     ;
> >     _kerberos.host.name.example.com. IN PTR EXAMPLE.COM.
> 
> The value of PTR is a <domain-name> rather than a binary
> <character-string>, which makes it case-insensitive and I wouldn't be
> surprised if some name server mangled the case of PTR records to
> all-lowercase.

DNS is case-insensitive for QNames, and preserves their case in the
answer section, but not in any RDATAs in the response.

> Also, the trailing dot is not the only form that may be used; there
> can be relative names.

Relative to what?  The QName?  Wouldn't that be a form of compression?
DNS already knows how to compress domainnames in PTR RDATAs, (there
won't be so many answers and additional RRs that compression will be
meaningful, so relative realm names could be potentially useful, but
probably not enough to be something we should drop Viktor's proposal
for).

> And, you are using PTR in forward DNS, which may upset people.

"Meh".  I don't think it will be a problem.

> Finally, the PTR record already has its meaning, and that is not the
> one we have in mind.  The new RRtype can be hard and clear about its
> meaning for Kerberos, and avoid security questions relating to the use
> of certain records.

STD 13 doesn't restrict PTR as you think.  It doesn't even limit the
number of PTR RRs in an answer to one (though all getnameinfo()/similar
implementations always expect only one answer and use only the first).

> I've initially proposed overloading TXT and that gave strong responses

Yes, that was predictable :)

> to instead register a new RRtype, and nobody on DNSEXT is questioning
> that change.  I therefore propose to not follow your idea.  It made me
> smile though, because it is an interesting find.

Lack of objection doesn't mean they reviewed and approved.  And KITTEN
WG's consensus is still needed, and we're free to have objections that
DNSEXT didn't.

Nico
--

v2.23.0 | Report a Bug | By Email