Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 16 September 2015 18:08 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229171A893C for <kitten@ietfa.amsl.com>; Wed, 16 Sep 2015 11:08:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xK6RTIiKKzfo for <kitten@ietfa.amsl.com>; Wed, 16 Sep 2015 11:08:45 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 920EF1A877D for <kitten@ietf.org>; Wed, 16 Sep 2015 11:08:45 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 03E26284AED; Wed, 16 Sep 2015 18:08:44 +0000 (UTC)
Date: Wed, 16 Sep 2015 18:08:43 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: kitten@ietf.org
Message-ID: <20150916180843.GA21942@mournblade.imrryr.org>
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <55F7C3FA.5090802@openfortress.nl> <20150915073030.GD21942@mournblade.imrryr.org> <55F7CB98.6060300@openfortress.nl> <20150915144724.GJ21942@mournblade.imrryr.org> <55F9118C.3050407@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55F9118C.3050407@openfortress.nl>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/dYB9PrsiRsa_rIVB3j7aWdTvEiw>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: kitten@ietf.org
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 18:08:48 -0000
On Wed, Sep 16, 2015 at 08:51:56AM +0200, Rick van Rein wrote: > Passing this through ods-signer (from OpenDNSSEC) already maps the PTR > values to lowercase, probably as part of name canonicalisation in > preparation of signing. That's unnecessary. The actual records need not be in canonical form, just the input to the signatures needs to be canonicalized. > Manually editing the ods-signer output to mixed > and uppercase again, reloaded it into the NSD name server... and again, > the PTR values are mapped to lowercase. They are not generally mapped to lower-case at zone contstruction time: $ dig +noall +nocl +nottl +ans -t ptr -x 169.229.218.207 207.218.229.169.in-addr.arpa. PTR ees-ppworker-prod-01.IST.Berkeley.EDU. However, "compression" means that the case of domains in the query influences the output: $ dig +noall +ans +nocl +nottl -t ptr \ _kerberos.uppercase.ptrdemo.VanReiN.org _kerberos.UPPERCASE.ptrdemo.VanReiN.org. PTR uppercase.VanReiN.org. so indeed PTR is not case-preserving. The choice is to use "TXT" which is already supported by both MIT and Heimdal, or to bite the bullet and define realms as being domain names, and if two strings are the same valid domain name, then they are the same realm. I still see no advantage in introducing KREALM. Just needlessly less usable than TXT. -- Viktor.
- [kitten] Finding Kerberos Realm Descriptors in se… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Martin Rex
- Re: [kitten] Finding Kerberos Realm Descriptors i… Watson Ladd
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams