IETF Logo Mail Archive

Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?

Petr Spacek <pspacek@redhat.com> Wed, 01 June 2016 10:46 UTC

Return-Path: <pspacek@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9830912B059 for <kitten@ietfa.amsl.com>; Wed, 1 Jun 2016 03:46:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.348
X-Spam-Level:
X-Spam-Status: No, score=-8.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1x6T01-e0ocj for <kitten@ietfa.amsl.com>; Wed, 1 Jun 2016 03:46:21 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C65512B027 for <kitten@ietf.org>; Wed, 1 Jun 2016 03:46:21 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D236737E72; Wed, 1 Jun 2016 10:46:20 +0000 (UTC)
Received: from pspacek.brq.redhat.com (pspacek.brq.redhat.com [10.34.128.7]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u51AkIZe026672 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 1 Jun 2016 06:46:20 -0400
To: Nico Williams <nico@cryptonector.com>
References: <1463500163.2432.9.camel@redhat.com> <20160519162545.GB19530@localhost> <1463676437.31173.36.camel@redhat.com> <9533fb26-6513-caca-efbc-158ebf6ca408@redhat.com> <20160520150629.GH19530@localhost>
From: Petr Spacek <pspacek@redhat.com>
Organization: Red Hat
Message-ID: <15d233ce-0c10-f13e-b87c-8b942163736d@redhat.com>
Date: Wed, 01 Jun 2016 12:46:18 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0
MIME-Version: 1.0
In-Reply-To: <20160520150629.GH19530@localhost>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Wed, 01 Jun 2016 10:46:20 +0000 (UTC)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/p12GIJqja51aBJLrpyBv-6YGkYg>
Cc: kitten@ietf.org
Subject: Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2016 10:46:23 -0000

On 20.5.2016 17:06, Nico Williams wrote:
> On Fri, May 20, 2016 at 09:26:42AM +0200, Petr Spacek wrote:
>> On 19.5.2016 18:47, Nathaniel McCallum wrote:
>>> On Thu, 2016-05-19 at 11:25 -0500, Nico Williams wrote:
>>>>  - Perhaps we should have our own RR type.  In principle it's easy to
>>>>    add them, but:
>>
>> Any new RR type will be in worse position than URI because of reasons you
>> stated below.
> 
> Exactly.

For the record, opinions of DNS gurus from dnsop list can be found in dnsop
archives:
http://www.ietf.org/mail-archive/web/dnsop/current/msg17526.html

Message
http://www.ietf.org/mail-archive/web/dnsop/current/msg17527.html
indicates that it might be possible to standardize TXT if you try it.

Message
http://www.ietf.org/mail-archive/web/dnsop/current/msg17534.html
argues that URI is good enough and that TXT is a bad practice.

Pick an answer which suits you the best :-)


> 
>>>>  - If new RR types are the answer, then the DNS community needs to do
>>>>    something about UIs.  For example, there could be an XML schema
>>>>    defining RR types' RDATA contents and UI elements.  Then
>>>>    implementors could automatically translate those to code to
>>>>    implement UIs for new RR types.
>>
>> Oh yes, this is my plan for some time already but it always gets lower
>> priority than something else ... I would not wait for it :-)
> 
> Er, OK, how do we help you implement it?  :)

Personally I think that this can be solved by some clever usage of an existing
bidirectional language + some metadata.

My experience with Augeas shows that it works quite well and that people
ironed out a lot of details and difficult corner cases so might be worth
investigating this direction.


If you do not like bidirectional languages look at
https://datatracker.ietf.org/doc/draft-levine-dnsextlang/
and implement it :-)

Have a nice day!

Petr Spacek  @  Red Hat


>> More importantly, there was literally no usage & demand for the URI
>> record up to now. Adding new RR types to UI is trivial as soon as you
>> have justification for the management, so the demand could simply
>> solve the UI problem for the URI RR type.
> 
> Well, I hope so!  The UI for URI is going to be very similar to the UI
> for SRV.
> 
> A machine-readable description of what the UI should be for each RR type
> would have made this problem a non-problem, and might yet.
> 
>>>>  - Can you ask some DNS hosters to inveigh as to whether they would
>>>>    be willing to add arbitrary new RR types?  (Presumably with a UI
>>>>    that requires the user to paste base64-/hex-encoded RDATA.)
>>
>> We have a standard for Handling of Unknown DNS RR Types:
>> https://tools.ietf.org/html/rfc3597
>>
>> It says that RDATA for unknown types should be typed in using hexadecimal
>> notation:
>> https://tools.ietf.org/html/rfc3597#section-5
> 
> Thanks.
> 
>> Also, some servers/services simply lack UI (e.g. Windows Server 2003)
>> but allow adding the record using standard DNS UPDATE protocol RFC
>> 2136, which is also behavior mandated by RFC 3597.
> 
> That's nice, but the services that Nathaniel is concerned about probably
> don't support DNS UPDATEs.
> 
> That's another thing.  Implementations that support DNS UPDATE often
> don't have useful authorization models, leading enterprises often to
> having to write proxies [that invariably do not themselves speak DNS
> UPDATE].  I'm not sure that a standard can help there, but I think it
> might.  One idea would be to associate authorization attributes to each
> RR type and RRset name pattern so that the DNS server could evaluate the
> DNS UPDATE client's authorization to perform a given operation.  E.g.,
> the owner(s) of a given domainname (should ownership and/or ACLs be
> expressible within DNS?) might get to manage associated SRV RRsets, and
> maybe (subject to site-local policy) add/delete CNAMEs pointing to that
> name, but maybe not modify the A/AAAA RRsets -- the "associated" bit
> would be nice if it were expressed in a standard, while which operations
> are allowed should be locally expressible based on simple labels for
> each association, say.
> 
> Nico
> 


-- 
Petr Spacek  @  Red Hat

v2.23.0 | Report a Bug | By Email