IETF Logo Mail Archive

Re: [kitten] Kerberos Service Discovery using DNS

Benjamin Kaduk <kaduk@MIT.EDU> Wed, 11 March 2015 16:44 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88C311A1B17 for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 09:44:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nVejYooR8ck for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 09:44:12 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D9011A1AFC for <kitten@ietf.org>; Wed, 11 Mar 2015 09:44:12 -0700 (PDT)
X-AuditID: 1209190e-f79bb6d0000030e8-13-550070db63cb
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 85.C0.12520.BD070055; Wed, 11 Mar 2015 12:44:11 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t2BGiAdj006417; Wed, 11 Mar 2015 12:44:10 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2BGi80o030270 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Mar 2015 12:44:09 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t2BGi77E012221; Wed, 11 Mar 2015 12:44:07 -0400 (EDT)
Date: Wed, 11 Mar 2015 12:44:07 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Nathaniel McCallum <npmccallum@redhat.com>
In-Reply-To: <1426091451.3471.35.camel@redhat.com>
Message-ID: <alpine.GSO.1.10.1503111236240.3953@multics.mit.edu>
References: <1425578271.2715.5.camel@redhat.com> <alpine.GSO.1.10.1503111201350.3953@multics.mit.edu> <1426091451.3471.35.camel@redhat.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixG6nrnu7gCHUYPM0Poujm1exWMz9OovV gcljyZKfTB7v911lC2CK4rJJSc3JLEst0rdL4MqYcVm44Ltoxd1WyQbGdYJdjJwcEgImErMb T7BB2GISF+6tB7K5OIQEFjNJ3HtznQnC2cgosXj5I3YI5xCTRN+3lVBOA6PE+n0XWUD6WQS0 JbpbZjCC2GwCKhIz32wEmysioCexbN8EsDizgLDE+nMzmEFsYQEric0bl4DFOQWMJF7tWQg2 h1fAQaLraTMzxIIeRommxvNMIAlRAR2J1funQBUJSpyc+YQFYqiWxPLp21gmMArOQpKahSS1 gJFpFaNsSm6Vbm5iZk5xarJucXJiXl5qka6xXm5miV5qSukmRlCockry7WD8elDpEKMAB6MS D++MWf9DhFgTy4orcw8xSnIwKYnyBiQzhArxJeWnVGYkFmfEF5XmpBYfYpTgYFYS4d0RCJTj TUmsrEotyodJSXOwKInzbvrBFyIkkJ5YkpqdmlqQWgSTleHgUJLgzcsHahQsSk1PrUjLzClB SDNxcIIM5wEaHgdSw1tckJhbnJkOkT/FqCglzpsCkhAASWSU5sH1wlLJK0ZxoFeEebeBVPEA 0xBc9yugwUxAg1msgZ7kLS5JREhJNTBmrBL7nrv+xi4Gxjk7ONg++VSJca7blPhw24fYw1+X LW5Qilk3bZmza1fI4d8cWX2aN54XB761MTAUKpH8q/Sq6/1Jr9baGI/I6BY+xilFjPuu5vS+ a/zovMRCfLXVZ8EXVcKr7VYZ7+RaZLL6RUi48i27K1PzHXfs3VrfuIL5RFWzfGDznI1KLMUZ iYZazEXFiQDNfGPgAAMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/rlriujH-EzWgIyvkM2AH9xUWc3o>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 16:44:14 -0000

On Wed, 11 Mar 2015, Nathaniel McCallum wrote:

> On Wed, 2015-03-11 at 12:05 -0400, Benjamin Kaduk wrote:
> > On Thu, 5 Mar 2015, Nathaniel McCallum wrote:
> >
> > > I have uploaded a new draft:
> > >
> > http://datatracker.ietf.org/doc/draft-mccallum-kitten-krb-service-discovery/
> > >
> > > If you'd like to discuss it, reply to this message. :)
> >
> > I'm generally in favor of something like this.
> >
> > A few things that came to mind while reading it that have not
> > already been
> > raised:
> >
> > You cover kerberos and kpasswd, but not kadmin.  Any reason why?
> > (MIT's code does not currently support using DNS to locate an admin
> > server, but that's not a reason to reject adding it to a discovery
> > protocol in its own
> > right.)
>
> My understanding is that kadmin is a proprietary protocol and has not
> been standardized. If that is incorrect, I can certainly add it. Does
> it already have a standardized discovery protocol?

There are at least two different proprietary kadmin protocols.
SRV records for _kerberos-adm._tcp.[realm] are documented by both
MIT and Heimdal, and exist at many sites.  It looks like Heimdal doesn't
actually implement client support for them, either, though, judging by git
grep.  (The corresponding draft-ietf-cat-krb-dns-locate seems to have
withered and died.)

> > I'm uncertain that section 3 is necessary.  Section 7.2.3.1 of RFC
> > 4120 seems to just be saying "you can't make two kerberos realms
> > that differ only in case"; whatever case is used for the DNS query,
> > the response will
> > be the same.
>
> Do I understand you correctly to suggest that I simply remove section 3
> altogether and say nothing about realm-to-domain translation?

That's my suggestion.  I am not 100% confident that it is correct, though.

> > Section 5.1 calls out that the default path differs from that in [MS-
> > KKDCP].  It seems like some justification for this deviation should
> > be
> > offered, or the gratuitous difference removed.
>
> Good point. My justification is simply that the default provided by MS-
> KKDCP will confuse DNS admins.
>
> They will see a URI that looks like this:
>   https://kdc.foo.com
>
> They will expect this behavior from past experience:
>   https://kdc.foo.com/
>
> But they will actually get this behavior:
>   https://kdc.foo.com/KdcProxy
>
> Even if we were to use a different URI scheme, I think this behavior
> expectation mismatch will be pronounced.
>
> I suspect the use of /KdcProxy is really just an implementation
> detail. Its only appearance is in Section 2.1 and its meaning is
> rather vague. I would like some clarification from MS regarding this
> question.

I guess I am satisfied by Greg's response on this point.

-Ben

v2.23.0 | Report a Bug | By Email