IETF Logo Mail Archive

Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 15 September 2015 16:20 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CDB81A1EF5 for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 09:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kWAlUNfe6QG2 for <kitten@ietfa.amsl.com>; Tue, 15 Sep 2015 09:20:23 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF3001A1EF1 for <kitten@ietf.org>; Tue, 15 Sep 2015 09:20:23 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 665AF284B70; Tue, 15 Sep 2015 16:20:22 +0000 (UTC)
Date: Tue, 15 Sep 2015 16:20:22 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: kitten@ietf.org
Message-ID: <20150915162022.GM21942@mournblade.imrryr.org>
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <55F7C3FA.5090802@openfortress.nl> <20150915073030.GD21942@mournblade.imrryr.org> <55F7CB98.6060300@openfortress.nl> <20150915144724.GJ21942@mournblade.imrryr.org> <55F8350B.5030805@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55F8350B.5030805@openfortress.nl>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/wkVuQ6ICd9W0X9VW32Vkre_7doc>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: kitten@ietf.org
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 16:20:28 -0000

On Tue, Sep 15, 2015 at 05:11:07PM +0200, Rick van Rein wrote:

> Hi Vik,

That's not my name.

> There is another reason to prefer a binary format, and that is to leave
> the door ajar for future i18n attempts of Kerberos realm names.  That is
> hard enough as it is now, without having to deal with DNS i18n as well.

Well, names that are i18n, but don't map into DNS are not going to
do anyone much good.  They need to be avoided.  It is precisely
*because* PTR constrains you to valid A-labels, that it is the right
way to map realms into DNS.

> > It it *exactly* the meaning you have in mind.  A DNS name that is
> > not an alias.  A pointer to another place in the DNS.
> 
> Assuming a Kerberos realm from a DNS name is not automatically safe
> because it may not be intended as such by the DNS zone operator /
> signer.  Because not all DNS names are intended to be, or have Kerberos
> realms.  That is the problem with overloaded / mind-read types that also
> have anohter life.

I'm not assuming anything.  I proposing that:

	_kerberos.host.example.com. IN PTR EXAMPLE.COM.

mean that the realm of "host.example.com" is "EXAMPLE.COM".  If
this mapping sometimes loses case, it may well be time to consider
defining the realm portion of Kerberos principals to be case-insensitive
for A-labels, and for non-ASCII names (as with IDNA 2008) *required*
to be effectively lower-case for U-labels.

The realm is going to be used for SRV lookups, and needs to be
valid DNS name.  Also the realm should be case-insensitive anyway,
time to bite that bullet.


> I would like to hear if i18n experts agree to such mappings.  And
> especially in the context of Kerberos, where we are dealing with older
> applications that were a bit too liberal with what they put into their
> realm name fields.

They don't all have to use DNS for realm mappings, they've gotten
by without so far.

> > Kerberos realms in DNS should be DNS names,
> 
> I've found that people in the Kerberos community treat old habits as
> things that die hard.  What you are saying probably applies to 99% of
> the users, but I see no point to forbid other forms of realm name in
> DNS.

I am proposing leaving legacy behind here, because we don't break
anything by not carrying it forward into DNS.

Of course you could simply standardize the current informal

    _kerberos.host.example.com. IN TXT "EXAMPLE.COM"

that'd be even more backwards compatible.  I already have a large
install-base of those.  And yet I think that PTR makes more sense
in the long run.  I see no compelling reason for KREALM.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email