Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

[Viktor Dukhovni <viktor1dane@dukhovni.org>]

On Wed, Sep 16, 2015 at 08:51:56AM +0200, Rick van Rein wrote:

> Passing this through ods-signer (from OpenDNSSEC) already maps the PTR
> values to lowercase, probably as part of name canonicalisation in
> preparation of signing.  

That's unnecessary.  The actual records need not be in canonical
form, just the input to the signatures needs to be canonicalized.

> Manually editing the ods-signer output to mixed
> and uppercase again, reloaded it into the NSD name server... and again,
> the PTR values are mapped to lowercase.

They are not generally mapped to lower-case at zone contstruction time:

    $ dig +noall +nocl +nottl +ans -t ptr -x 169.229.218.207
    207.218.229.169.in-addr.arpa. PTR ees-ppworker-prod-01.IST.Berkeley.EDU.

However, "compression" means that the case of domains in the query
influences the output:

  $ dig +noall +ans +nocl +nottl -t ptr \
      _kerberos.uppercase.ptrdemo.VanReiN.org
  _kerberos.UPPERCASE.ptrdemo.VanReiN.org. PTR uppercase.VanReiN.org.

so indeed PTR is not case-preserving.  The choice is to use "TXT"
which is already supported by both MIT and Heimdal, or to bite the
bullet and define realms as being domain names, and if two strings
are the same valid domain name, then they are the same realm.

I still see no advantage in introducing KREALM.  Just needlessly
less usable than TXT.

-- 
	Viktor.