Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
Petr Spacek <pspacek@redhat.com> Wed, 01 June 2016 10:46 UTC
Return-Path: <pspacek@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9830912B059 for <kitten@ietfa.amsl.com>; Wed, 1 Jun 2016 03:46:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.348
X-Spam-Level:
X-Spam-Status: No, score=-8.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1x6T01-e0ocj for <kitten@ietfa.amsl.com>; Wed, 1 Jun 2016 03:46:21 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C65512B027 for <kitten@ietf.org>; Wed, 1 Jun 2016 03:46:21 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D236737E72; Wed, 1 Jun 2016 10:46:20 +0000 (UTC)
Received: from pspacek.brq.redhat.com (pspacek.brq.redhat.com [10.34.128.7]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u51AkIZe026672 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 1 Jun 2016 06:46:20 -0400
To: Nico Williams <nico@cryptonector.com>
References: <1463500163.2432.9.camel@redhat.com> <20160519162545.GB19530@localhost> <1463676437.31173.36.camel@redhat.com> <9533fb26-6513-caca-efbc-158ebf6ca408@redhat.com> <20160520150629.GH19530@localhost>
From: Petr Spacek <pspacek@redhat.com>
Organization: Red Hat
Message-ID: <15d233ce-0c10-f13e-b87c-8b942163736d@redhat.com>
Date: Wed, 01 Jun 2016 12:46:18 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0
MIME-Version: 1.0
In-Reply-To: <20160520150629.GH19530@localhost>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Wed, 01 Jun 2016 10:46:20 +0000 (UTC)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/p12GIJqja51aBJLrpyBv-6YGkYg>
Cc: kitten@ietf.org
Subject: Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2016 10:46:23 -0000
On 20.5.2016 17:06, Nico Williams wrote: > On Fri, May 20, 2016 at 09:26:42AM +0200, Petr Spacek wrote: >> On 19.5.2016 18:47, Nathaniel McCallum wrote: >>> On Thu, 2016-05-19 at 11:25 -0500, Nico Williams wrote: >>>> - Perhaps we should have our own RR type. In principle it's easy to >>>> add them, but: >> >> Any new RR type will be in worse position than URI because of reasons you >> stated below. > > Exactly. For the record, opinions of DNS gurus from dnsop list can be found in dnsop archives: http://www.ietf.org/mail-archive/web/dnsop/current/msg17526.html Message http://www.ietf.org/mail-archive/web/dnsop/current/msg17527.html indicates that it might be possible to standardize TXT if you try it. Message http://www.ietf.org/mail-archive/web/dnsop/current/msg17534.html argues that URI is good enough and that TXT is a bad practice. Pick an answer which suits you the best :-) > >>>> - If new RR types are the answer, then the DNS community needs to do >>>> something about UIs. For example, there could be an XML schema >>>> defining RR types' RDATA contents and UI elements. Then >>>> implementors could automatically translate those to code to >>>> implement UIs for new RR types. >> >> Oh yes, this is my plan for some time already but it always gets lower >> priority than something else ... I would not wait for it :-) > > Er, OK, how do we help you implement it? :) Personally I think that this can be solved by some clever usage of an existing bidirectional language + some metadata. My experience with Augeas shows that it works quite well and that people ironed out a lot of details and difficult corner cases so might be worth investigating this direction. If you do not like bidirectional languages look at https://datatracker.ietf.org/doc/draft-levine-dnsextlang/ and implement it :-) Have a nice day! Petr Spacek @ Red Hat >> More importantly, there was literally no usage & demand for the URI >> record up to now. Adding new RR types to UI is trivial as soon as you >> have justification for the management, so the demand could simply >> solve the UI problem for the URI RR type. > > Well, I hope so! The UI for URI is going to be very similar to the UI > for SRV. > > A machine-readable description of what the UI should be for each RR type > would have made this problem a non-problem, and might yet. > >>>> - Can you ask some DNS hosters to inveigh as to whether they would >>>> be willing to add arbitrary new RR types? (Presumably with a UI >>>> that requires the user to paste base64-/hex-encoded RDATA.) >> >> We have a standard for Handling of Unknown DNS RR Types: >> https://tools.ietf.org/html/rfc3597 >> >> It says that RDATA for unknown types should be typed in using hexadecimal >> notation: >> https://tools.ietf.org/html/rfc3597#section-5 > > Thanks. > >> Also, some servers/services simply lack UI (e.g. Windows Server 2003) >> but allow adding the record using standard DNS UPDATE protocol RFC >> 2136, which is also behavior mandated by RFC 3597. > > That's nice, but the services that Nathaniel is concerned about probably > don't support DNS UPDATEs. > > That's another thing. Implementations that support DNS UPDATE often > don't have useful authorization models, leading enterprises often to > having to write proxies [that invariably do not themselves speak DNS > UPDATE]. I'm not sure that a standard can help there, but I think it > might. One idea would be to associate authorization attributes to each > RR type and RRset name pattern so that the DNS server could evaluate the > DNS UPDATE client's authorization to perform a given operation. E.g., > the owner(s) of a given domainname (should ownership and/or ACLs be > expressible within DNS?) might get to manage associated SRV RRsets, and > maybe (subject to site-local policy) add/delete CNAMEs pointing to that > name, but maybe not modify the A/AAAA RRsets -- the "associated" bit > would be nice if it were expressed in a standard, while which operations > are allowed should be locally expressible based on simple labels for > each association, say. > > Nico > -- Petr Spacek @ Red Hat
- [kitten] Adoption of draft-mccallum-kitten-krb-se… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Jeffrey Altman
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Rick van Rein
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Jeffrey Altman
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Jeffrey Altman
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Benjamin Kaduk
- Re: [kitten] Adoption ofdraft-mccallum-kitten-krb… tom p.
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption ofdraft-mccallum-kitten-krb… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek